diff --git a/README.md b/README.md index 8da8268fa..8f779a71e 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,44 @@ +## Security Onion 2.0.0.rc1 + +Security Onion 2.0.0 RC1 is here! This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond! + +### Changes: +- Re-branded 2.0 to give it a fresh look +- All documentation has moved to our [docs site](https://docs.securityonion.net/en/2.0) +- soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date. +- so-import-pcap is back! See the docs [here](http://docs.securityonion.net/en/2.0/so-import-pcap). +- Fixed issue with so-features-enable +- Users can now pivot to PCAP from Suricata alerts +- ISO install now prompts users to create an admin/sudo user instead of using a default account name +- The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet +- Fixed issue with disk cleanup +- Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files +- Locked down access to certain SSL keys +- Suricata logs now compress after they roll over +- Users can now easily customize shard counts per index +- Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS) +- Elastic nodes are now "hot" by default, making it easier to add a warm node later +- so-allow now runs at the end of an install so users can enable access right away +- Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to `event.severity`: + - 1-Low / 2-Medium / 3-High / 4-Critical +- Initial implementation of alerting queues: + - Low & Medium alerts are accessible through Kibana & Hunt + - High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis +- ATT&CK Navigator is now a statically-hosted site in the nginx container +- Playbook + - All Sigma rules in the community repo (500+) are now imported and kept up to date + - Initial implementation of automated testing when a Play's detection logic has been edited (i.e., Unit Testing) + - Updated UI Theme + - Once authenticated through SOC, users can now access Playbook with analyst permissions without login +- Kolide Launcher has been updated to include the ability to pass arbitrary flags - new functionality sponsored by SOS +- Fixed issue with Wazuh authd registration service port not being correctly exposed +- Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools +- Added option to so-allow for external Strelka file uploads (e.g., via `strelka-fileshot`) +- Added default YARA rules for Strelka -- default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base +- Added the ability to use custom Zeek scripts +- Renamed "master server" to "manager node" +- Improved unification of Zeek and Strelka file data + ## Hybrid Hunter Beta 1.4.1 - Beta 3 - Fix install script to handle hostnames properly. @@ -62,7 +103,7 @@ - Fixed an issue where geoip was not properly parsed. - ATT&CK Navigator is now it's own state. - Standlone mode is now supported. -- Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards. +- Managersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Manager node and Search node dashboards. ### Known Issues: diff --git a/VERSION b/VERSION index 347f5833e..d0c10bc48 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.4.1 +2.0.0-rc.1 \ No newline at end of file diff --git a/exclude-list.txt b/exclude-list.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml index 6dff82823..5d9b662b6 100644 --- a/files/firewall/assigned_hostgroups.local.map.yaml +++ b/files/firewall/assigned_hostgroups.local.map.yaml @@ -13,8 +13,8 @@ role: fleet: heavynode: helixsensor: - master: - mastersearch: + manager: + managersearch: standalone: searchnode: sensor: \ No newline at end of file diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index 9d2c4c0c7..794105627 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -12,6 +12,10 @@ firewall: ips: delete: insert: + elasticsearch_rest: + ips: + delete: + insert: fleet: ips: delete: @@ -20,7 +24,7 @@ firewall: ips: delete: insert: - master: + manager: ips: delete: insert: @@ -44,6 +48,10 @@ firewall: ips: delete: insert: + strelka_frontend: + ips: + delete: + insert: syslog: ips: delete: @@ -59,4 +67,4 @@ firewall: wazuh_authd: ips: delete: - insert: \ No newline at end of file + insert: diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls index 3c90b710a..4d70fd517 100644 --- a/pillar/docker/config.sls +++ b/pillar/docker/config.sls @@ -1,12 +1,12 @@ -{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} +{%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} -{% set WAZUH = salt['pillar.get']('master:wazuh', '0') %} -{% set THEHIVE = salt['pillar.get']('master:thehive', '0') %} -{% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %} -{% set FREQSERVER = salt['pillar.get']('master:freq', '0') %} -{% set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') %} -{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} -{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} +{% set WAZUH = salt['pillar.get']('manager:wazuh', '0') %} +{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %} +{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} +{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} +{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} +{% set ZEEKVER = salt['pillar.get']('static:zeekversion', 'COMMUNITY') %} +{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} eval: containers: @@ -20,7 +20,7 @@ eval: - so-soc - so-kratos - so-idstools - {% if FLEETMASTER %} + {% if FLEETMANAGER %} - so-mysql - so-fleet - so-redis @@ -44,7 +44,6 @@ eval: {% endif %} {% if PLAYBOOK != '0' %} - so-playbook - - so-navigator {% endif %} {% if FREQSERVER != '0' %} - so-freqserver @@ -64,7 +63,7 @@ heavy_node: - so-suricata - so-wazuh - so-filebeat - {% if BROVER != 'SURICATA' %} + {% if ZEEKVER != 'SURICATA' %} - so-zeek {% endif %} helix: @@ -84,7 +83,7 @@ hot_node: - so-logstash - so-elasticsearch - so-curator -master_search: +manager_search: containers: - so-nginx - so-telegraf @@ -100,7 +99,7 @@ master_search: - so-elastalert - so-filebeat - so-soctopus - {% if FLEETMASTER %} + {% if FLEETMANAGER %} - so-mysql - so-fleet - so-redis @@ -116,7 +115,6 @@ master_search: {% endif %} {% if PLAYBOOK != '0' %} - so-playbook - - so-navigator {% endif %} {% if FREQSERVER != '0' %} - so-freqserver @@ -124,7 +122,7 @@ master_search: {% if DOMAINSTATS != '0' %} - so-domainstats {% endif %} -master: +manager: containers: - so-dockerregistry - so-nginx @@ -143,7 +141,7 @@ master: - so-kibana - so-elastalert - so-filebeat - {% if FLEETMASTER %} + {% if FLEETMANAGER %} - so-mysql - so-fleet - so-redis @@ -159,7 +157,6 @@ master: {% endif %} {% if PLAYBOOK != '0' %} - so-playbook - - so-navigator {% endif %} {% if FREQSERVER != '0' %} - so-freqserver @@ -189,7 +186,7 @@ sensor: - so-telegraf - so-steno - so-suricata - {% if BROVER != 'SURICATA' %} + {% if ZEEKVER != 'SURICATA' %} - so-zeek {% endif %} - so-wazuh diff --git a/pillar/elasticsearch/eval.sls b/pillar/elasticsearch/eval.sls new file mode 100644 index 000000000..2dbb08f59 --- /dev/null +++ b/pillar/elasticsearch/eval.sls @@ -0,0 +1,13 @@ +elasticsearch: + templates: + - so/so-beats-template.json.jinja + - so/so-common-template.json + - so/so-firewall-template.json.jinja + - so/so-flow-template.json.jinja + - so/so-ids-template.json.jinja + - so/so-import-template.json.jinja + - so/so-osquery-template.json.jinja + - so/so-ossec-template.json.jinja + - so/so-strelka-template.json.jinja + - so/so-syslog-template.json.jinja + - so/so-zeek-template.json.jinja \ No newline at end of file diff --git a/pillar/elasticsearch/search.sls b/pillar/elasticsearch/search.sls new file mode 100644 index 000000000..9ff97de5b --- /dev/null +++ b/pillar/elasticsearch/search.sls @@ -0,0 +1,13 @@ +elasticsearch: + templates: + - so/so-beats-template.json.jinja + - so/so-common-template.json + - so/so-firewall-template.json.jinja + - so/so-flow-template.json.jinja + - so/so-ids-template.json.jinja + - so/so-import-template.json.jinja + - so/so-osquery-template.json.jinja + - so/so-ossec-template.json.jinja + - so/so-strelka-template.json.jinja + - so/so-syslog-template.json.jinja + - so/so-zeek-template.json.jinja diff --git a/pillar/firewall/ports.sls b/pillar/firewall/ports.sls index 29f711c13..4f7c06bec 100644 --- a/pillar/firewall/ports.sls +++ b/pillar/firewall/ports.sls @@ -17,7 +17,7 @@ firewall: - 5644 - 9822 udp: - master: + manager: ports: tcp: - 1514 diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls deleted file mode 100644 index 39a87dc77..000000000 --- a/pillar/logstash/eval.sls +++ /dev/null @@ -1,21 +0,0 @@ -logstash: - pipelines: - eval: - config: - - so/0800_input_eval.conf - - so/1002_preprocess_json.conf - - so/1033_preprocess_snort.conf - - so/7100_osquery_wel.conf - - so/8999_postprocess_rename_type.conf - - so/9000_output_bro.conf.jinja - - so/9002_output_import.conf.jinja - - so/9033_output_snort.conf.jinja - - so/9100_output_osquery.conf.jinja - - so/9400_output_suricata.conf.jinja - - so/9500_output_beats.conf.jinja - - so/9600_output_ossec.conf.jinja - - so/9700_output_strelka.conf.jinja - templates: - - so/so-beats-template.json - - so/so-common-template.json - - so/so-zeek-template.json diff --git a/pillar/logstash/master.sls b/pillar/logstash/manager.sls similarity index 92% rename from pillar/logstash/master.sls rename to pillar/logstash/manager.sls index 1ff41b43c..9c16d2625 100644 --- a/pillar/logstash/master.sls +++ b/pillar/logstash/manager.sls @@ -1,6 +1,6 @@ logstash: pipelines: - master: + manager: config: - so/0009_input_beats.conf - so/0010_input_hhbeats.conf diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 6b3d0422e..486deb408 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -11,6 +11,3 @@ logstash: - so/9500_output_beats.conf.jinja - so/9600_output_ossec.conf.jinja - so/9700_output_strelka.conf.jinja - templates: - - so/so-common-template.json - - so/so-zeek-template.json diff --git a/pillar/top.sls b/pillar/top.sls index a691cf028..889f0b63f 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -6,43 +6,46 @@ base: - match: compound - zeek - '*_mastersearch or *_heavynode': + '*_managersearch or *_heavynode': - match: compound - logstash - - logstash.master + - logstash.manager - logstash.search + - elasticsearch.search '*_sensor': - static - - brologs + - zeeklogs - healthcheck.sensor - minions.{{ grains.id }} - '*_master or *_mastersearch': + '*_manager or *_managersearch': - match: compound - static - data.* - secrets - minions.{{ grains.id }} - '*_master': + '*_manager': - logstash - - logstash.master + - logstash.manager '*_eval': - - static - data.* - - brologs + - zeeklogs - secrets - healthcheck.eval + - elasticsearch.eval + - static - minions.{{ grains.id }} '*_standalone': - logstash - - logstash.master + - logstash.manager - logstash.search + - elasticsearch.search - data.* - - brologs + - zeeklogs - secrets - healthcheck.standalone - static @@ -54,13 +57,13 @@ base: '*_heavynode': - static - - brologs + - zeeklogs - minions.{{ grains.id }} '*_helix': - static - fireeye - - brologs + - zeeklogs - logstash - logstash.helix - minions.{{ grains.id }} @@ -75,4 +78,5 @@ base: - static - logstash - logstash.search + - elasticsearch.search - minions.{{ grains.id }} diff --git a/pillar/brologs.sls b/pillar/zeeklogs.sls similarity index 97% rename from pillar/brologs.sls rename to pillar/zeeklogs.sls index 95f18691e..882cb92a9 100644 --- a/pillar/brologs.sls +++ b/pillar/zeeklogs.sls @@ -1,4 +1,4 @@ -brologs: +zeeklogs: enabled: - conn - dce_rpc diff --git a/salt/_modules/telegraf.py b/salt/_modules/telegraf.py index 6fa33f89a..aa98af039 100644 --- a/salt/_modules/telegraf.py +++ b/salt/_modules/telegraf.py @@ -6,7 +6,7 @@ import socket def send(data): - mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('master:mainint')) + mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint')) mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0] dstport = 8094 diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf index e253f8911..b25a9935b 100644 --- a/salt/ca/files/signing_policies.conf +++ b/salt/ca/files/signing_policies.conf @@ -26,7 +26,7 @@ x509_signing_policies: - extendedKeyUsage: serverAuth - days_valid: 820 - copypath: /etc/pki/issued_certs/ - masterssl: + managerssl: - minions: '*' - signing_private_key: /etc/pki/ca.key - signing_cert: /etc/pki/ca.crt diff --git a/salt/ca/init.sls b/salt/ca/init.sls index f3a1d431e..da442cc2a 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -1,4 +1,4 @@ -{% set master = salt['grains.get']('master') %} +{% set manager = salt['grains.get']('master') %} /etc/salt/minion.d/signing_policies.conf: file.managed: - source: salt://ca/files/signing_policies.conf @@ -20,7 +20,7 @@ pki_private_key: /etc/pki/ca.crt: x509.certificate_managed: - signing_private_key: /etc/pki/ca.key - - CN: {{ master }} + - CN: {{ manager }} - C: US - ST: Utah - L: Salt Lake City @@ -44,3 +44,10 @@ send_x509_pem_entries_to_mine: - mine.send: - func: x509.get_pem_entries - glob_path: /etc/pki/ca.crt + +cakeyperms: + file.managed: + - replace: False + - name: /etc/pki/ca.key + - mode: 640 + - group: 939 diff --git a/salt/common/init.sls b/salt/common/init.sls index 0ecba198d..69aaa4a17 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -1,3 +1,5 @@ +{% set role = grains.id.split('_') | last %} + # Add socore Group socoregroup: group.present: @@ -13,6 +15,20 @@ socore: - createhome: True - shell: /bin/bash +soconfperms: + file.directory: + - name: /opt/so/conf + - uid: 939 + - gid: 939 + - dir_mode: 770 + +sosaltstackperms: + file.directory: + - name: /opt/so/saltstack + - uid: 939 + - gid: 939 + - dir_mode: 770 + # Create a state directory statedir: file.directory: @@ -131,3 +147,15 @@ utilsyncscripts: - file_mode: 755 - template: jinja - source: salt://common/tools/sbin + +{% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %} +# Add sensor cleanup +/usr/sbin/so-sensor-clean: + cron.present: + - user: root + - minute: '*' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' +{% endif %} diff --git a/salt/common/maps/eval.map.jinja b/salt/common/maps/eval.map.jinja index f868474c5..075344e82 100644 --- a/salt/common/maps/eval.map.jinja +++ b/salt/common/maps/eval.map.jinja @@ -14,6 +14,7 @@ 'so-zeek', 'so-curator', 'so-elastalert', - 'so-soctopus' + 'so-soctopus', + 'so-sensoroni' ] } %} \ No newline at end of file diff --git a/salt/common/maps/fleet_master.map.jinja b/salt/common/maps/fleet_manager.map.jinja similarity index 100% rename from salt/common/maps/fleet_master.map.jinja rename to salt/common/maps/fleet_manager.map.jinja diff --git a/salt/common/maps/heavynode.map.jinja b/salt/common/maps/heavynode.map.jinja index 2b8257a6a..cbd0fc3b0 100644 --- a/salt/common/maps/heavynode.map.jinja +++ b/salt/common/maps/heavynode.map.jinja @@ -9,6 +9,7 @@ 'so-steno', 'so-suricata', 'so-wazuh', - 'so-filebeat + 'so-filebeat', + 'so-sensoroni' ] } %} \ No newline at end of file diff --git a/salt/common/maps/master.map.jinja b/salt/common/maps/manager.map.jinja similarity index 100% rename from salt/common/maps/master.map.jinja rename to salt/common/maps/manager.map.jinja diff --git a/salt/common/maps/mastersearch.map.jinja b/salt/common/maps/managersearch.map.jinja similarity index 100% rename from salt/common/maps/mastersearch.map.jinja rename to salt/common/maps/managersearch.map.jinja diff --git a/salt/common/maps/playbook.map.jinja b/salt/common/maps/playbook.map.jinja index 064262119..84baa8dec 100644 --- a/salt/common/maps/playbook.map.jinja +++ b/salt/common/maps/playbook.map.jinja @@ -1,6 +1,5 @@ {% set docker = { 'containers': [ - 'so-playbook', - 'so-navigator' + 'so-playbook' ] } %} \ No newline at end of file diff --git a/salt/common/maps/sensor.map.jinja b/salt/common/maps/sensor.map.jinja index f172dd55d..3f5ebe8eb 100644 --- a/salt/common/maps/sensor.map.jinja +++ b/salt/common/maps/sensor.map.jinja @@ -3,6 +3,7 @@ 'so-telegraf', 'so-steno', 'so-suricata', - 'so-filebeat' + 'so-filebeat', + 'so-sensoroni' ] } %} \ No newline at end of file diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index f67f4bcd6..93f5f3d13 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -18,14 +18,14 @@ } },grain='id', merge=salt['pillar.get']('docker')) %} -{% if role in ['eval', 'mastersearch', 'master', 'standalone'] %} - {{ append_containers('master', 'grafana', 0) }} - {{ append_containers('static', 'fleet_master', 0) }} - {{ append_containers('master', 'wazuh', 0) }} - {{ append_containers('master', 'thehive', 0) }} - {{ append_containers('master', 'playbook', 0) }} - {{ append_containers('master', 'freq', 0) }} - {{ append_containers('master', 'domainstats', 0) }} +{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %} + {{ append_containers('manager', 'grafana', 0) }} + {{ append_containers('static', 'fleet_manager', 0) }} + {{ append_containers('manager', 'wazuh', 0) }} + {{ append_containers('manager', 'thehive', 0) }} + {{ append_containers('manager', 'playbook', 0) }} + {{ append_containers('manager', 'freq', 0) }} + {{ append_containers('manager', 'domainstats', 0) }} {% endif %} {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %} @@ -33,13 +33,13 @@ {% endif %} {% if role in ['heavynode', 'standalone'] %} - {{ append_containers('static', 'broversion', 'SURICATA') }} + {{ append_containers('static', 'zeekversion', 'SURICATA') }} {% endif %} {% if role == 'searchnode' %} - {{ append_containers('master', 'wazuh', 0) }} + {{ append_containers('manager', 'wazuh', 0) }} {% endif %} {% if role == 'sensor' %} - {{ append_containers('static', 'broversion', 'SURICATA') }} + {{ append_containers('static', 'zeekversion', 'SURICATA') }} {% endif %} \ No newline at end of file diff --git a/salt/common/maps/standalone.map.jinja b/salt/common/maps/standalone.map.jinja index 3585d0df6..d66cad1f9 100644 --- a/salt/common/maps/standalone.map.jinja +++ b/salt/common/maps/standalone.map.jinja @@ -16,6 +16,7 @@ 'so-suricata', 'so-steno', 'so-dockerregistry', - 'so-soctopus' + 'so-soctopus', + 'so-sensoroni' ] } %} \ No newline at end of file diff --git a/salt/common/maps/broversion.map.jinja b/salt/common/maps/zeekversion.map.jinja similarity index 100% rename from salt/common/maps/broversion.map.jinja rename to salt/common/maps/zeekversion.map.jinja diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 82d25c25e..c6d3d6bf0 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -17,15 +17,13 @@ . /usr/sbin/so-common -default_salt_dir=/opt/so/saltstack/default local_salt_dir=/opt/so/saltstack/local SKIP=0 -while getopts "abowi:" OPTION +while getopts "ahfesprbowi:" OPTION do case $OPTION in - h) usage exit 0 @@ -38,6 +36,14 @@ do FULLROLE="beats_endpoint" SKIP=1 ;; + e) + FULLROLE="elasticsearch_rest" + SKIP=1 + ;; + f) + FULLROLE="strelka_frontend" + SKIP=1 + ;; i) IP=$OPTARG ;; o) @@ -60,7 +66,10 @@ do FULLROLE="wazuh_authd" SKIP=1 ;; - + *) + usage + exit 0 + ;; esac done @@ -72,20 +81,27 @@ if [ "$SKIP" -eq 0 ]; then echo "" echo "[a] - Analyst - ports 80/tcp and 443/tcp" echo "[b] - Logstash Beat - port 5044/tcp" + echo "[e] - Elasticsearch REST API - port 9200/tcp" + echo "[f] - Strelka frontend - port 57314/tcp" echo "[o] - Osquery endpoint - port 8090/tcp" echo "[s] - Syslog device - 514/tcp/udp" echo "[w] - Wazuh agent - port 1514/tcp/udp" echo "[p] - Wazuh API - port 55000/tcp" echo "[r] - Wazuh registration service - 1515/tcp" - echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" - read ROLE + echo "" + echo "Please enter your selection:" + read -r ROLE echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" - read IP + read -r IP if [ "$ROLE" == "a" ]; then FULLROLE=analyst elif [ "$ROLE" == "b" ]; then FULLROLE=beats_endpoint + elif [ "$ROLE" == "e" ]; then + FULLROLE=elasticsearch_rest + elif [ "$ROLE" == "f" ]; then + FULLROLE=strelka_frontend elif [ "$ROLE" == "o" ]; then FULLROLE=osquery_endpoint elif [ "$ROLE" == "w" ]; then @@ -111,16 +127,16 @@ salt-call state.apply firewall queue=True if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then # If analyst, add to Wazuh AR whitelist if [ "$FULLROLE" == "analyst" ]; then - WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" - if ! grep -q "$IP" $WAZUH_MGR_CFG ; then - DATE=`date` - sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG - sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG - echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG - echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." - echo - echo "Restarting OSSEC Server..." - /usr/sbin/so-wazuh-restart - fi - fi + WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + if ! grep -q "$IP" $WAZUH_MGR_CFG ; then + DATE=$(date) + sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG + sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG + echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG + echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." + echo + echo "Restarting OSSEC Server..." + /usr/sbin/so-wazuh-restart + fi + fi fi diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 759f78f18..5b3eeb647 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -15,6 +15,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +IMAGEREPO=securityonion + # Check for prerequisites if [ "$(id -u)" -ne 0 ]; then echo "This script must be run using sudo!" diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh old mode 100644 new mode 100755 index 3c1a2e301..16b8fb930 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -14,20 +14,16 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -got_root(){ - if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 - fi -} -master_check() { - # Check to see if this is a master - MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MASTERCHECK == 'so-eval' ] || [ $MASTERCHECK == 'so-master' ] || [ $MASTERCHECK == 'so-mastersearch' ] || [ $MASTERCHECK == 'so-standalone' ] || [ $MASTERCHECK == 'so-helix' ]; then - echo "This is a master. We can proceed" +. /usr/sbin/so-common + +manager_check() { + # Check to see if this is a manager + MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [ $MANAGERCHECK == 'so-eval' ] || [ $MANAGERCHECK == 'so-manager' ] || [ $MANAGERCHECK == 'so-managersearch' ] || [ $MANAGERCHECK == 'so-standalone' ] || [ $MANAGERCHECK == 'so-helix' ]; then + echo "This is a manager. We can proceed" else - echo "Please run soup on the master. The master controls all updates." + echo "Please run soup on the manager. The manager controls all updates." exit 1 fi } @@ -39,10 +35,10 @@ update_docker_containers() { do # Pull down the trusted docker image echo "Downloading $i" - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i + docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i # Tag it with the new registry destination - docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i - docker push $HOSTNAME:5000/soshybridhunter/$i + docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i + docker push $HOSTNAME:5000/$IMAGEREPO/$i done } @@ -55,58 +51,57 @@ version_check() { exit 1 fi } -got_root -master_check + +manager_check version_check # Use the hostname HOSTNAME=$(hostname) -BUILD=HH # List all the containers -if [ $MASTERCHECK != 'so-helix' ]; then +if [ $MANAGERCHECK != 'so-helix' ]; then TRUSTED_CONTAINERS=( \ - "so-acng:$BUILD$VERSION" \ - "so-thehive-cortex:$BUILD$VERSION" \ - "so-curator:$BUILD$VERSION" \ - "so-domainstats:$BUILD$VERSION" \ - "so-elastalert:$BUILD$VERSION" \ - "so-elasticsearch:$BUILD$VERSION" \ - "so-filebeat:$BUILD$VERSION" \ - "so-fleet:$BUILD$VERSION" \ - "so-fleet-launcher:$BUILD$VERSION" \ - "so-freqserver:$BUILD$VERSION" \ - "so-grafana:$BUILD$VERSION" \ - "so-idstools:$BUILD$VERSION" \ - "so-influxdb:$BUILD$VERSION" \ - "so-kibana:$BUILD$VERSION" \ - "so-kratos:$BUILD$VERSION" \ - "so-logstash:$BUILD$VERSION" \ - "so-mysql:$BUILD$VERSION" \ - "so-navigator:$BUILD$VERSION" \ - "so-nginx:$BUILD$VERSION" \ - "so-playbook:$BUILD$VERSION" \ - "so-redis:$BUILD$VERSION" \ - "so-soc:$BUILD$VERSION" \ - "so-soctopus:$BUILD$VERSION" \ - "so-steno:$BUILD$VERSION" \ - "so-strelka:$BUILD$VERSION" \ - "so-suricata:$BUILD$VERSION" \ - "so-telegraf:$BUILD$VERSION" \ - "so-thehive:$BUILD$VERSION" \ - "so-thehive-es:$BUILD$VERSION" \ - "so-wazuh:$BUILD$VERSION" \ - "so-zeek:$BUILD$VERSION" ) + "so-acng:$VERSION" \ + "so-thehive-cortex:$VERSION" \ + "so-curator:$VERSION" \ + "so-domainstats:$VERSION" \ + "so-elastalert$VERSION" \ + "so-elasticsearch:$VERSION" \ + "so-filebeat:$VERSION" \ + "so-fleet:$VERSION" \ + "so-fleet-launcher:$VERSION" \ + "so-freqserver:$VERSION" \ + "so-grafana:$VERSION" \ + "so-idstools:$VERSION" \ + "so-influxdb:$VERSION" \ + "so-kibana:$VERSION" \ + "so-kratos:$VERSION" \ + "so-logstash:$VERSION" \ + "so-mysql:$VERSION" \ + "so-nginx:$VERSION" \ + "so-pcaptools:$VERSION" \ + "so-playbook:$VERSION" \ + "so-redis:$VERSION" \ + "so-soc:$VERSION" \ + "so-soctopus:$VERSION" \ + "so-steno:$VERSION" \ + "so-strelka:$VERSION" \ + "so-suricata:$VERSION" \ + "so-telegraf:$VERSION" \ + "so-thehive:$VERSION" \ + "so-thehive-es:$VERSION" \ + "so-wazuh:$VERSION" \ + "so-zeek:$VERSION" ) else TRUSTED_CONTAINERS=( \ - "so-filebeat:$BUILD$VERSION" \ - "so-idstools:$BUILD$VERSION" \ - "so-logstash:$BUILD$VERSION" \ - "so-nginx:$BUILD$VERSION" \ - "so-redis:$BUILD$VERSION" \ - "so-steno:$BUILD$VERSION" \ - "so-suricata:$BUILD$VERSION" \ - "so-telegraf:$BUILD$VERSION" \ - "so-zeek:$BUILD$VERSION" ) + "so-filebeat:$VERSION" \ + "so-idstools:$VERSION" \ + "so-logstash:$VERSION" \ + "so-nginx:$VERSION" \ + "so-redis:$VERSION" \ + "so-steno:$VERSION" \ + "so-suricata:$VERSION" \ + "so-telegraf:$VERSION" \ + "so-zeek:$VERSION" ) fi -update_docker_containers \ No newline at end of file +update_docker_containers diff --git a/salt/common/tools/sbin/so-elastalert-create b/salt/common/tools/sbin/so-elastalert-create index 0270503bf..683b53ed1 100755 --- a/salt/common/tools/sbin/so-elastalert-create +++ b/salt/common/tools/sbin/so-elastalert-create @@ -198,7 +198,7 @@ EOF read alertoption if [ $alertoption = "1" ] ; then - echo "Please enter the email address you want to send the alerts to. Note: Ensure the Master Server is configured for SMTP." + echo "Please enter the email address you want to send the alerts to. Note: Ensure the Manager Server is configured for SMTP." read emailaddress cat << EOF >> "$rulename.yaml" # (Required) diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index 2db400839..04c153f85 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -14,7 +14,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') -%} . /usr/sbin/so-common SKIP=0 @@ -50,7 +50,7 @@ done if [ $SKIP -ne 1 ]; then # List indices echo - curl {{ MASTERIP }}:9200/_cat/indices?v&pretty + curl {{ MANAGERIP }}:9200/_cat/indices?v echo # Inform user we are about to delete all data echo @@ -63,18 +63,54 @@ if [ $SKIP -ne 1 ]; then if [ "$INPUT" != "AGREE" ] ; then exit 0; fi fi -/usr/sbin/so-filebeat-stop -/usr/sbin/so-logstash-stop +# Check to see if Logstash/Filebeat are running +LS_ENABLED=$(so-status | grep logstash) +FB_ENABLED=$(so-status | grep filebeat) +EA_ENABLED=$(so-status | grep elastalert) + +if [ ! -z "$FB_ENABLED" ]; then + + /usr/sbin/so-filebeat-stop + +fi + +if [ ! -z "$LS_ENABLED" ]; then + + /usr/sbin/so-logstash-stop + +fi + +if [ ! -z "$EA_ENABLED" ]; then + + /usr/sbin/so-elastalert-stop + +fi # Delete data echo "Deleting data..." -INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }') +INDXS=$(curl -s -XGET {{ MANAGERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') for INDX in ${INDXS} do - curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1 + curl -XDELETE "{{ MANAGERIP }}:9200/${INDX}" > /dev/null 2>&1 done -/usr/sbin/so-logstash-start -/usr/sbin/so-filebeat-start +#Start Logstash/Filebeat +if [ ! -z "$FB_ENABLED" ]; then + + /usr/sbin/so-filebeat-start + +fi + +if [ ! -z "$LS_ENABLED" ]; then + + /usr/sbin/so-logstash-start + +fi + +if [ ! -z "$EA_ENABLED" ]; then + + /usr/sbin/so-elastalert-start + +fi diff --git a/salt/common/tools/sbin/so-elastic-download b/salt/common/tools/sbin/so-elastic-download deleted file mode 100755 index 216f51410..000000000 --- a/salt/common/tools/sbin/so-elastic-download +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash -MASTER=MASTER -VERSION="HH1.1.4" -TRUSTED_CONTAINERS=( \ -"so-nginx:$VERSION" \ -"so-thehive-cortex:$VERSION" \ -"so-curator:$VERSION" \ -"so-domainstats:$VERSION" \ -"so-elastalert:$VERSION" \ -"so-elasticsearch:$VERSION" \ -"so-filebeat:$VERSION" \ -"so-fleet:$VERSION" \ -"so-fleet-launcher:$VERSION" \ -"so-freqserver:$VERSION" \ -"so-grafana:$VERSION" \ -"so-idstools:$VERSION" \ -"so-influxdb:$VERSION" \ -"so-kibana:$VERSION" \ -"so-logstash:$VERSION" \ -"so-mysql:$VERSION" \ -"so-navigator:$VERSION" \ -"so-playbook:$VERSION" \ -"so-redis:$VERSION" \ -"so-sensoroni:$VERSION" \ -"so-soctopus:$VERSION" \ -"so-steno:$VERSION" \ -#"so-strelka:$VERSION" \ -"so-suricata:$VERSION" \ -"so-telegraf:$VERSION" \ -"so-thehive:$VERSION" \ -"so-thehive-es:$VERSION" \ -"so-wazuh:$VERSION" \ -"so-zeek:$VERSION" ) - -for i in "${TRUSTED_CONTAINERS[@]}" -do - # Pull down the trusted docker image - echo "Downloading $i" - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i - # Tag it with the new registry destination - docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i - docker push $MASTER:5000/soshybridhunter/$i - docker rmi soshybridhunter/$i -done diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-rw b/salt/common/tools/sbin/so-elasticsearch-indices-rw new file mode 100755 index 000000000..6e9eebe47 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw @@ -0,0 +1,26 @@ +#!/bin/bash +# +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} +ESPORT=9200 +THEHIVEESPORT=9400 + +echo "Removing read only attributes for indices..." +echo +for p in $ESPORT $THEHIVEESPORT; do + curl -XPUT -H "Content-Type: application/json" http://$IP:$p/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; +done diff --git a/salt/common/tools/sbin/so-elasticsearch-templates b/salt/common/tools/sbin/so-elasticsearch-templates index 829e2a68d..dfbf07c42 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates +++ b/salt/common/tools/sbin/so-elasticsearch-templates @@ -1,4 +1,4 @@ -{% set MASTERIP = salt['pillar.get']('master:mainip', '') %} +{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} #!/bin/bash # Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC # @@ -15,13 +15,13 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -default_salt_dir=/opt/so/saltstack/default -ELASTICSEARCH_HOST="{{ MASTERIP}}" +default_conf_dir=/opt/so/conf +ELASTICSEARCH_HOST="{{ MANAGERIP}}" ELASTICSEARCH_PORT=9200 #ELASTICSEARCH_AUTH="" # Define a default directory to load pipelines from -ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/" +ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/" # Wait for ElasticSearch to initialize echo -n "Waiting for ElasticSearch..." diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index 6ba9252a9..c94aebcba 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -17,6 +17,18 @@ . /usr/sbin/so-common local_salt_dir=/opt/so/saltstack/local +manager_check() { + # Check to see if this is a manager + MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch')$ ]]; then + echo "This is a manager. We can proceed" + else + echo "Please run so-features-enable on the manager." + exit 0 + fi +} + +manager_check VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g') # Modify static.sls to enable Features sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls @@ -31,13 +43,8 @@ for i in "${TRUSTED_CONTAINERS[@]}" do # Pull down the trusted docker image echo "Downloading $i" - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i + docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i # Tag it with the new registry destination - docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i - docker push $HOSTNAME:5000/soshybridhunter/$i -done -for i in "${TRUSTED_CONTAINERS[@]}" -do - echo "Removing $i locally" - docker rmi soshybridhunter/$i + docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i + docker push $HOSTNAME:5000/$IMAGEREPO/$i done diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup old mode 100644 new mode 100755 index 9801c803b..21aebc966 --- a/salt/common/tools/sbin/so-fleet-setup +++ b/salt/common/tools/sbin/so-fleet-setup @@ -16,6 +16,7 @@ if [ ! "$(docker ps -q -f name=so-fleet)" ]; then fi docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet +docker exec -it so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://localhost:8080/fleet)" != "301" ]]; do sleep 5; done' docker exec so-fleet fleetctl setup --email $1 --password $2 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml diff --git a/salt/common/tools/sbin/so-idstools-restart b/salt/common/tools/sbin/so-idstools-restart new file mode 100755 index 000000000..8dec9b4c4 --- /dev/null +++ b/salt/common/tools/sbin/so-idstools-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart idstools $1 diff --git a/salt/common/tools/sbin/so-idstools-start b/salt/common/tools/sbin/so-idstools-start new file mode 100755 index 000000000..8b34b458f --- /dev/null +++ b/salt/common/tools/sbin/so-idstools-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start idstools $1 diff --git a/salt/common/tools/sbin/so-idstools-stop b/salt/common/tools/sbin/so-idstools-stop new file mode 100755 index 000000000..8c4b25031 --- /dev/null +++ b/salt/common/tools/sbin/so-idstools-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop idstools $1 diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap new file mode 100755 index 000000000..a45fe6777 --- /dev/null +++ b/salt/common/tools/sbin/so-import-pcap @@ -0,0 +1,220 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +{% set MANAGER = salt['grains.get']('master') %} +{% set VERSION = salt['pillar.get']('static:soversion') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip') -%} + +function usage { + cat << EOF +Usage: $0 [pcap-file-2] [pcap-file-N] + +Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and +made available for review in the Security Onion toolset. +EOF +} + +function pcapinfo() { + PCAP=$1 + ARGS=$2 + docker run --rm -v $PCAP:/input.pcap --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap $ARGS +} + +function pcapfix() { + PCAP=$1 + PCAP_OUT=$2 + docker run --rm -v $PCAP:/input.pcap -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1 +} + +function suricata() { + PCAP=$1 + HASH=$2 + + NSM_PATH=/nsm/import/${HASH}/suricata + mkdir -p $NSM_PATH + chown suricata:socore $NSM_PATH + LOG_PATH=/opt/so/log/suricata/import/${HASH} + mkdir -p $LOG_PATH + chown suricata:suricata $LOG_PATH + docker run --rm \ + -v /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro \ + -v /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro \ + -v /opt/so/conf/suricata/rules:/etc/suricata/rules:ro \ + -v ${LOG_PATH}:/var/log/suricata/:rw \ + -v ${NSM_PATH}/:/nsm/:rw \ + -v $PCAP:/input.pcap:ro \ + -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \ + {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} \ + --runmode single -k none -r /input.pcap > $LOG_PATH/console.log 2>&1 +} + +function zeek() { + PCAP=$1 + HASH=$2 + + NSM_PATH=/nsm/import/${HASH}/zeek + mkdir -p $NSM_PATH/logs + mkdir -p $NSM_PATH/extracted + mkdir -p $NSM_PATH/spool + chown -R zeek:socore $NSM_PATH + docker run --rm \ + -v $NSM_PATH/logs:/nsm/zeek/logs:rw \ + -v $NSM_PATH/spool:/nsm/zeek/spool:rw \ + -v $NSM_PATH/extracted:/nsm/zeek/extracted:rw \ + -v $PCAP:/input.pcap:ro \ + -v /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro \ + -v /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro \ + -v /opt/so/conf/zeek/zeekctl.cfg:/opt/zeek/etc/zeekctl.cfg:ro \ + -v /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro \ + -v /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro \ + -v /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro \ + -v /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw \ + -v /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro \ + --entrypoint /opt/zeek/bin/zeek \ + -w /nsm/zeek/logs \ + {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} \ + -C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1 +} + +# if no parameters supplied, display usage +if [ $# -eq 0 ]; then + usage + exit 1 +fi + +# ensure this is a sensor node +if [ ! -d /opt/so/conf/suricata ]; then + echo "This command must be run on a sensor node." + exit 3 +fi + +# verify that all parameters are files +for i in "$@"; do + if ! [ -f "$i" ]; then + usage + echo "\"$i\" is not a valid file!" + exit 2 + fi +done + +# track if we have any valid or invalid pcaps +INVALID_PCAPS="no" +VALID_PCAPS="no" + +# track oldest start and newest end so that we can generate the Kibana search hyperlink at the end +START_OLDEST="2050-12-31" +END_NEWEST="1971-01-01" + +# paths must be quoted in case they include spaces +for PCAP in "$@"; do + PCAP=$(/usr/bin/realpath "$PCAP") + echo "Processing Import: ${PCAP}" + echo "- verifying file" + if ! pcapinfo "${PCAP}" > /dev/null 2>&1; then + # try to fix pcap and then process the fixed pcap directly + PCAP_FIXED=`mktemp /tmp/so-import-pcap-XXXXXXXXXX.pcap` + echo "- attempting to recover corrupted PCAP file" + pcapfix "${PCAP}" "${PCAP_FIXED}" + PCAP="${PCAP_FIXED}" + TEMP_PCAPS+=(${PCAP_FIXED}) + fi + + # generate a unique hash to assist with dedupe checks + HASH=$(md5sum "${PCAP}" | awk '{ print $1 }') + HASH_DIR=/nsm/import/${HASH} + echo "- assigning unique identifier to import: $HASH" + + if [ -d $HASH_DIR ]; then + echo "- this PCAP has already been imported; skipping" + INVALID_PCAPS="yes" + elif pcapinfo "${PCAP}" |egrep -q "Last packet time: 1970-01-01|Last packet time: n/a"; then + echo "- this PCAP file is invalid; skipping" + INVALID_PCAPS="yes" + else + VALID_PCAPS="yes" + + PCAP_DIR=$HASH_DIR/pcap + mkdir -p $PCAP_DIR + + # generate IDS alerts and write them to standard pipeline + echo "- analyzing traffic with Suricata" + suricata "${PCAP}" $HASH + + # generate Zeek logs and write them to a unique subdirectory in /nsm/import/bro/ + # since each run writes to a unique subdirectory, there is no need for a lock file + echo "- analyzing traffic with Zeek" + zeek "${PCAP}" $HASH + + START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') + END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') + echo "- saving PCAP data spanning dates $START through $END" + + # compare $START to $START_OLDEST + START_COMPARE=$(date -d $START +%s) + START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s) + if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then + START_OLDEST=$START + fi + + # compare $ENDNEXT to $END_NEWEST + ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"` + ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s) + END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s) + if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then + END_NEWEST=$ENDNEXT + fi + + cp -f "${PCAP}" "${PCAP_DIR}"/data.pcap + chmod 644 "${PCAP_DIR}"/data.pcap + + fi # end of valid pcap + + echo + +done # end of for-loop processing pcap files + +# remove temp files +echo "Cleaning up:" +for TEMP_PCAP in ${TEMP_PCAPS[@]}; do + echo "- removing temporary pcap $TEMP_PCAP" + rm -f $TEMP_PCAP +done + +# output final messages +if [ "$INVALID_PCAPS" = "yes" ]; then + echo + echo "Please note! One or more pcaps was invalid! You can scroll up to see which ones were invalid." +fi + +START_OLDEST_SLASH=$(echo $START_OLDEST | sed -e 's/-/%2F/g') +END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g') + +if [ "$VALID_PCAPS" = "yes" ]; then +cat << EOF + +Import complete! + +You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: +https://{{ MANAGERIP }}/#/hunt?q=%2a%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM + +or you can manually set your Time Range to be: +From: $START_OLDEST To: $END_NEWEST + +Please note that it may take 30 seconds or more for events to appear in Onion Hunt. +EOF +fi diff --git a/salt/common/tools/sbin/so-influxdb-restart b/salt/common/tools/sbin/so-influxdb-restart new file mode 100755 index 000000000..c822dc251 --- /dev/null +++ b/salt/common/tools/sbin/so-influxdb-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart influxdb $1 diff --git a/salt/common/tools/sbin/so-influxdb-start b/salt/common/tools/sbin/so-influxdb-start new file mode 100755 index 000000000..d840838f3 --- /dev/null +++ b/salt/common/tools/sbin/so-influxdb-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start influxdb $1 diff --git a/salt/common/tools/sbin/so-influxdb-stop b/salt/common/tools/sbin/so-influxdb-stop new file mode 100755 index 000000000..fe06c34e4 --- /dev/null +++ b/salt/common/tools/sbin/so-influxdb-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop influxdb $1 diff --git a/salt/common/tools/sbin/so-kibana-config-export b/salt/common/tools/sbin/so-kibana-config-export index f64e12a0e..8ee3f59b5 100755 --- a/salt/common/tools/sbin/so-kibana-config-export +++ b/salt/common/tools/sbin/so-kibana-config-export @@ -1,9 +1,9 @@ #!/bin/bash # -# {%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master', False) -%} +# {%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager', False) -%} # {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node', False) -%} # {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', '') %} -# {%- set MASTER = salt['pillar.get']('master:url_base', '') %} +# {%- set MANAGER = salt['pillar.get']('manager:url_base', '') %} # # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # @@ -20,7 +20,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -KIBANA_HOST={{ MASTER }} +KIBANA_HOST={{ MANAGER }} KSO_PORT=5601 OUTFILE="saved_objects.ndjson" curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE @@ -29,7 +29,7 @@ curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_H sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE # Clean up for Fleet, if applicable -# {% if FLEET_NODE or FLEET_MASTER %} +# {% if FLEET_NODE or FLEET_MANAGER %} # Fleet IP -sed -i "s/{{ MASTER }}/FLEETPLACEHOLDER/g" $OUTFILE +sed -i "s/{{ MANAGER }}/FLEETPLACEHOLDER/g" $OUTFILE # {% endif %} diff --git a/salt/common/tools/sbin/so-nginx-restart b/salt/common/tools/sbin/so-nginx-restart new file mode 100755 index 000000000..ce45ebd06 --- /dev/null +++ b/salt/common/tools/sbin/so-nginx-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart nginx $1 diff --git a/salt/common/tools/sbin/so-nginx-start b/salt/common/tools/sbin/so-nginx-start new file mode 100755 index 000000000..5ee1e3c55 --- /dev/null +++ b/salt/common/tools/sbin/so-nginx-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start nginx $1 diff --git a/salt/common/tools/sbin/so-nginx-stop b/salt/common/tools/sbin/so-nginx-stop new file mode 100755 index 000000000..1901c6e85 --- /dev/null +++ b/salt/common/tools/sbin/so-nginx-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop nginx $1 diff --git a/salt/common/tools/sbin/so-saltstack-update b/salt/common/tools/sbin/so-saltstack-update old mode 100644 new mode 100755 index d4e380b61..73688dc08 --- a/salt/common/tools/sbin/so-saltstack-update +++ b/salt/common/tools/sbin/so-saltstack-update @@ -21,8 +21,8 @@ clone_to_tmp() { # Make a temp location for the files mkdir /tmp/sogh cd /tmp/sogh - #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git - git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git + git clone https://github.com/Security-Onion-Solutions/securityonion.git cd /tmp } @@ -30,10 +30,10 @@ clone_to_tmp() { copy_new_files() { # Copy new files over to the salt dir - cd /tmp/sogh/securityonion-saltstack + cd /tmp/sogh/securityonion git checkout $BRANCH - rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/ - rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/ + rsync -a salt $default_salt_dir/ + rsync -a pillar $default_salt_dir/ chown -R socore:socore $default_salt_dir/salt chown -R socore:socore $default_salt_dir/pillar chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean new file mode 100755 index 000000000..886b16fcd --- /dev/null +++ b/salt/common/tools/sbin/so-sensor-clean @@ -0,0 +1,121 @@ +#!/bin/bash + +# Delete Zeek Logs based on defined CRIT_DISK_USAGE value + +# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +SENSOR_DIR='/nsm' +CRIT_DISK_USAGE=90 +CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %) +LOG="/opt/so/log/sensor_clean.log" +TODAY=$(date -u "+%Y-%m-%d") + +clean () { + ## find the oldest Zeek logs directory + OLDEST_DIR=$(ls /nsm/zeek/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | head -n 1) + if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ] + then + echo "$(date) - No old Zeek logs available to clean up in /nsm/zeek/logs/" >> $LOG + #exit 0 + else + echo "$(date) - Removing directory: /nsm/zeek/logs/$OLDEST_DIR" >> $LOG + rm -rf /nsm/zeek/logs/"$OLDEST_DIR" + fi + + + ## Remarking for now, as we are moving extracted files to /nsm/strelka/processed + ## find oldest files in extracted directory and exclude today + #OLDEST_EXTRACT=$(find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1) + #if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ] + #then + # echo "$(date) - No old extracted files available to clean up in /nsm/zeek/extracted/complete" >> $LOG + #else + # OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1` + # OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'` + # echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG + # find /nsm/zeek/extracted/complete -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE + # do + # echo "$(date) - Removing extracted file: $FILE" >> $LOG + # rm -f "$FILE" + # done + #fi + + ## Clean up Zeek extracted files processed by Strelka + STRELKA_FILES='/nsm/strelka/processed' + OLDEST_STRELKA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1 ) + if [ -z "$OLDEST_STRELKA" -o "$OLDEST_STRELKA" == ".." -o "$OLDEST_STRELKA" == "." ] + then + echo "$(date) - No old files available to clean up in $STRELKA_FILES" >> $LOG + else + OLDEST_STRELKA_DATE=`echo $OLDEST_STRELKA | awk '{print $1}' | cut -d+ -f1` + OLDEST_STRELKA_FILE=`echo $OLDEST_STRELKA | awk '{print $2}'` + echo "$(date) - Removing extracted files for $OLDEST_STRELKA_DATE" >> $LOG + find $STRELKA_FILES -type f -printf '%T+ %p\n' | grep $OLDEST_STRELKA_DATE | awk '{print $2}' |while read FILE + do + echo "$(date) - Removing file: $FILE" >> $LOG + rm -f "$FILE" + done + fi + + ## Clean up Suricata log files + SURICATA_LOGS='/nsm/suricata' + OLDEST_SURICATA=$(find $STRELKA_FILES -type f -printf '%T+ %p\n' | sort -n | head -n 1) + if [ -z "$OLDEST_SURICATA" -o "$OLDEST_SURICATA" == ".." -o "$OLDEST_SURICATA" == "." ] + then + echo "$(date) - No old files available to clean up in $SURICATA_LOGS" >> $LOG + else + OLDEST_SURICATA_DATE=`echo $OLDEST_SURICATA | awk '{print $1}' | cut -d+ -f1` + OLDEST_SURICATA_FILE=`echo $OLDEST_SURICATA | awk '{print $2}'` + echo "$(date) - Removing logs for $OLDEST_SURICATA_DATE" >> $LOG + find $SURICATA_LOGS -type f -printf '%T+ %p\n' | grep $OLDEST_SURICATA_DATE | awk '{print $2}' |while read FILE + do + echo "$(date) - Removing file: $FILE" >> $LOG + rm -f "$FILE" + done + fi + + ## Clean up extracted pcaps from Steno + PCAPS='/nsm/pcapout' + OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1 ) + if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ] + then + echo "$(date) - No old files available to clean up in $PCAPS" >> $LOG + else + OLDEST_PCAP_DATE=`echo $OLDEST_PCAP | awk '{print $1}' | cut -d+ -f1` + OLDEST_PCAP_FILE=`echo $OLDEST_PCAP | awk '{print $2}'` + echo "$(date) - Removing extracted files for $OLDEST_PCAP_DATE" >> $LOG + find $PCAPS -type f -printf '%T+ %p\n' | grep $OLDEST_PCAP_DATE | awk '{print $2}' |while read FILE + do + echo "$(date) - Removing file: $FILE" >> $LOG + rm -f "$FILE" + done + fi +} + +# Check to see if we are already running +IS_RUNNING=$(ps aux | grep "sensor_clean" | grep -v grep | wc -l) +[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >> $LOG && exit 0 + +if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then + while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; + do + clean + CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %) + done +else + echo "$(date) - Current usage value of $CUR_USAGE not greater than CRIT_DISK_USAGE value of $CRIT_DISK_USAGE..." >> $LOG +fi + diff --git a/salt/common/tools/sbin/so-soc-restart b/salt/common/tools/sbin/so-soc-restart new file mode 100755 index 000000000..19bc85b2a --- /dev/null +++ b/salt/common/tools/sbin/so-soc-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart soc $1 diff --git a/salt/common/tools/sbin/so-soc-start b/salt/common/tools/sbin/so-soc-start new file mode 100755 index 000000000..44480d3db --- /dev/null +++ b/salt/common/tools/sbin/so-soc-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start soc $1 diff --git a/salt/common/tools/sbin/so-soc-stop b/salt/common/tools/sbin/so-soc-stop new file mode 100755 index 000000000..d089fe9ea --- /dev/null +++ b/salt/common/tools/sbin/so-soc-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop soc $1 diff --git a/salt/common/tools/sbin/so-strelka-restart b/salt/common/tools/sbin/so-strelka-restart new file mode 100755 index 000000000..575517807 --- /dev/null +++ b/salt/common/tools/sbin/so-strelka-restart @@ -0,0 +1,26 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop strelka-filestream $1 +/usr/sbin/so-stop strelka-manager $1 +/usr/sbin/so-stop strelka-frontend $1 +/usr/sbin/so-stop strelka-backend $1 +/usr/sbin/so-stop strelka-gatekeeper $1 +/usr/sbin/so-stop strelka-coordinator $1 +/usr/sbin/so-start strelka $1 diff --git a/salt/common/tools/sbin/so-strelka-start b/salt/common/tools/sbin/so-strelka-start new file mode 100755 index 000000000..cecfc0555 --- /dev/null +++ b/salt/common/tools/sbin/so-strelka-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start strelka $1 diff --git a/salt/common/tools/sbin/so-strelka-stop b/salt/common/tools/sbin/so-strelka-stop new file mode 100755 index 000000000..24bd901d6 --- /dev/null +++ b/salt/common/tools/sbin/so-strelka-stop @@ -0,0 +1,25 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop strelka-filestream $1 +/usr/sbin/so-stop strelka-manager $1 +/usr/sbin/so-stop strelka-frontend $1 +/usr/sbin/so-stop strelka-backend $1 +/usr/sbin/so-stop strelka-gatekeeper $1 +/usr/sbin/so-stop strelka-coordinator $1 diff --git a/salt/common/tools/sbin/so-telegraf-restart b/salt/common/tools/sbin/so-telegraf-restart new file mode 100755 index 000000000..e69e14ee8 --- /dev/null +++ b/salt/common/tools/sbin/so-telegraf-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart telegraf $1 diff --git a/salt/common/tools/sbin/so-telegraf-start b/salt/common/tools/sbin/so-telegraf-start new file mode 100755 index 000000000..4d9b760ef --- /dev/null +++ b/salt/common/tools/sbin/so-telegraf-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start telegraf $1 diff --git a/salt/common/tools/sbin/so-telegraf-stop b/salt/common/tools/sbin/so-telegraf-stop new file mode 100755 index 000000000..4b6ca2ca9 --- /dev/null +++ b/salt/common/tools/sbin/so-telegraf-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop telegraf $1 diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update new file mode 100755 index 000000000..884c13728 --- /dev/null +++ b/salt/common/tools/sbin/so-yara-update @@ -0,0 +1,102 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +clone_dir="/tmp" +output_dir="/opt/so/saltstack/default/salt/strelka/rules" +#mkdir -p $output_dir +repos="$output_dir/repos.txt" +ignorefile="$output_dir/ignore.txt" + +deletecounter=0 +newcounter=0 +updatecounter=0 + +gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com) + +if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then + + while IFS= read -r repo; do + + # Remove old repo if existing bc of previous error condition or unexpected disruption + repo_name=`echo $repo | awk -F '/' '{print $NF}'` + [ -d $repo_name ] && rm -rf $repo_name + + # Clone repo and make appropriate directories for rules + + git clone $repo $clone_dir/$repo_name + echo "Analyzing rules from $clone_dir/$repo_name..." + mkdir -p $output_dir/$repo_name + [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name + + # Copy over rules + for i in $(find $clone_dir/$repo_name -name "*.yar*"); do + rule_name=$(echo $i | awk -F '/' '{print $NF}') + repo_sum=$(sha256sum $i | awk '{print $1}') + + # Check rules against those in ignore list -- don't copy if ignored. + if ! grep -iq $rule_name $ignorefile; then + existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l) + + # For existing rules, check to see if they need to be updated, by comparing checksums + if [ $existing_rules -gt 0 ];then + local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}') + if [ "$repo_sum" != "$local_sum" ]; then + echo "Checksums do not match!" + echo "Updating $rule_name..." + cp $i $output_dir/$repo_name; + ((updatecounter++)) + fi + else + # If rule doesn't exist already, we'll add it + echo "Adding new rule: $rule_name..." + cp $i $output_dir/$repo_name + ((newcounter++)) + fi + fi; + done + + # Check to see if we have any old rules that need to be removed + for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do + is_repo_rule=$(find $clone_dir/$repo_name -name "$i" | wc -l) + if [ $is_repo_rule -eq 0 ]; then + echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..." + rm $output_dir/$repo_name/$i + ((deletecounter++)) + fi + done + rm -rf $clone_dir/$repo_name + done < $repos + + echo "Done!" + + if [ "$newcounter" -gt 0 ];then + echo "$newcounter new rules added." + fi + + if [ "$updatecounter" -gt 0 ];then + echo "$updatecounter rules updated." + fi + + if [ "$deletecounter" -gt 0 ];then + echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo." + fi + +else + echo "Server returned $gh_status status code." + echo "No connectivity to Github...exiting..." + exit 1 +fi diff --git a/salt/common/tools/sbin/so-bro-logs b/salt/common/tools/sbin/so-zeek-logs similarity index 80% rename from salt/common/tools/sbin/so-bro-logs rename to salt/common/tools/sbin/so-zeek-logs index 173d23029..353eece1e 100755 --- a/salt/common/tools/sbin/so-bro-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -1,17 +1,17 @@ #!/bin/bash local_salt_dir=/opt/so/saltstack/local -bro_logs_enabled() { +zeek_logs_enabled() { - echo "brologs:" > $local_salt_dir/pillar/brologs.sls - echo " enabled:" >> $local_salt_dir/pillar/brologs.sls + echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls + echo " enabled:" >> $local_salt_dir/pillar/zeeklogs.sls for BLOG in ${BLOGS[@]}; do - echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls + echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls done } -whiptail_master_adv_service_brologs() { +whiptail_manager_adv_service_zeeklogs() { BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \ "conn" "Connection Logging" ON \ @@ -54,5 +54,5 @@ whiptail_master_adv_service_brologs() { "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 ) } -whiptail_master_adv_service_brologs -bro_logs_enabled +whiptail_manager_adv_service_zeeklogs +zeek_logs_enabled diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup old mode 100644 new mode 100755 index 7c471aa34..878372e68 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -15,23 +15,187 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -clone_to_tmp() { +. /usr/sbin/so-common +UPDATE_DIR=/tmp/sogh/securityonion +INSTALLEDVERSION=$(cat /etc/soversion) +default_salt_dir=/opt/so/saltstack/default +manager_check() { + # Check to see if this is a manager + MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch')$ ]]; then + echo "This is a manager. We can proceed" + else + echo "Please run soup on the manager. The manager controls all updates." + exit 0 + fi +} + +clean_dockers() { + # Place Holder for cleaning up old docker images + echo "" +} + +clone_to_tmp() { # TODO Need to add a air gap option + # Clean old files + rm -rf /tmp/sogh # Make a temp location for the files - rm -rf /tmp/soup - mkdir -p /tmp/soup - cd /tmp/soup - #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git - git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + mkdir -p /tmp/sogh + cd /tmp/sogh + #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git + git clone https://github.com/Security-Onion-Solutions/securityonion.git + cd /tmp + if [ ! -f $UPDATE_DIR/VERSION ]; then + echo "Update was unable to pull from github. Please check your internet." + exit 0 + fi +} + +copy_new_files() { + # Copy new files over to the salt dir + cd /tmp/sogh/securityonion + rsync -a salt $default_salt_dir/ + rsync -a pillar $default_salt_dir/ + chown -R socore:socore $default_salt_dir/ + chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh + cd /tmp +} + +highstate() { + # Run a highstate but first cancel a running one. + salt-call saltutil.kill_all_jobs + salt-call state.highstate +} + +pillar_changes() { + # This function is to add any new pillar items if needed. + echo "Checking to see if pillar changes are needed" } -# Prompt the user that this requires internets +update_dockers() { + # List all the containers + if [ $MANAGERCHECK != 'so-helix' ]; then + TRUSTED_CONTAINERS=( \ + "so-acng" \ + "so-thehive-cortex" \ + "so-curator" \ + "so-domainstats" \ + "so-elastalert" \ + "so-elasticsearch" \ + "so-filebeat" \ + "so-fleet" \ + "so-fleet-launcher" \ + "so-freqserver" \ + "so-grafana" \ + "so-idstools" \ + "so-influxdb" \ + "so-kibana" \ + "so-kratos" \ + "so-logstash" \ + "so-mysql" \ + "so-nginx" \ + "so-pcaptools" \ + "so-playbook" \ + "so-redis" \ + "so-soc" \ + "so-soctopus" \ + "so-steno" \ + "so-strelka" \ + "so-suricata" \ + "so-telegraf" \ + "so-thehive" \ + "so-thehive-es" \ + "so-wazuh" \ + "so-zeek" ) + else + TRUSTED_CONTAINERS=( \ + "so-filebeat" \ + "so-idstools" \ + "so-logstash" \ + "so-nginx" \ + "so-redis" \ + "so-steno" \ + "so-suricata" \ + "so-telegraf" \ + "so-zeek" ) + fi +# Download the containers from the interwebs + for i in "${TRUSTED_CONTAINERS[@]}" + do + # Pull down the trusted docker image + echo "Downloading $i:$NEWVERSION" + docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION + # Tag it with the new registry destination + docker tag $IMAGEREPO/$i:$NEWVERSION $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION + docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION + done + +} + +update_version() { + # Update the version to the latest + echo "Updating the version file." + echo $NEWVERSION > /etc/soversion + sed -i 's/$INSTALLEDVERSION/$NEWVERISON/g' /opt/so/saltstack/local/pillar/static.sls +} + +upgrade_check() { + # Let's make sure we actually need to update. + NEWVERSION=$(cat $UPDATE_DIR/VERSION) + if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then + echo "You are already running the latest version of Security Onion." + exit 0 + else + echo "Performing Upgrade from $INSTALLEDVERSION to $NEWVERSION" + fi +} + +verify_latest_update_script() { + # Check to see if the update scripts match. If not run the new one. + CURRENTSOUP=$(md5sum /opt/so/saltstack/default/salt/common/tools/sbin/soup | awk '{print $1}') + GITSOUP=$(md5sum /tmp/sogh/securityonion/salt/common/tools/sbin/soup | awk '{print $1}') + if [[ "$CURRENTSOUP" == "$GITSOUP" ]]; then + echo "This version of the soup script is up to date. Proceeding." + else + echo "You are not running the latest soup version. Updating soup." + cp $UPDATE_DIR/salt/common/tools/sbin/soup $default_salt_dir/salt/common/tools/sbin/ + salt-call state.apply common queue=True + echo "" + echo "soup has been updated. Please run soup again" + exit 0 + fi +} + +echo "Checking to see if this is a manager" +manager_check +echo "Cloning latest code to a temporary location" clone_to_tmp -cd /tmp/soup/securityonion-saltstack/update -chmod +x soup -./soup - - +echo "" +echo "Verifying we have the latest script" +verify_latest_update_script +echo "" +echo "Let's see if we need to update" +upgrade_check +echo "" +echo "Making pillar changes" +pillar_changes +echo "" +echo "Cleaning up old dockers" +clean_dockers +echo "" +echo "Updating docker to $NEWVERSION" +update_dockers +echo "" +echo "Copying new code" +copy_new_files +echo "" +echo "Running a highstate to complete upgrade" +highstate +echo "" +echo "Updating version" +update_version +echo "" +echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete." diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index 030bbbfac..fb3945c1d 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -1,8 +1,4 @@ -{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} - {%- set log_size_limit = salt['pillar.get']('node:log_size_limit', '') -%} -{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%} -{%- endif %} +{%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml new file mode 100644 index 000000000..4c606d4bc --- /dev/null +++ b/salt/curator/files/action/so-beats-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-beats:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close Beats indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-beats.*|so-beats.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/close.yml b/salt/curator/files/action/so-firewall-close.yml similarity index 58% rename from salt/curator/files/action/close.yml rename to salt/curator/files/action/so-firewall-close.yml index a65e9af3d..c30daa6bb 100644 --- a/salt/curator/files/action/close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -1,9 +1,4 @@ -{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} - {%- set cur_close_days = salt['pillar.get']('node:cur_close_days', '') -%} -{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%} -{%- endif -%} - +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-firewall:close', 30) -%} --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" @@ -15,8 +10,7 @@ actions: 1: action: close description: >- - Close indices older than {{cur_close_days}} days (based on index name), for logstash- - prefixed indices. + Close Firewall indices older than {{cur_close_days}} days. options: delete_aliases: False timeout_override: @@ -25,7 +19,7 @@ actions: filters: - filtertype: pattern kind: regex - value: '^(logstash-.*|so-.*)$' + value: '^(logstash-firewall.*|so-firewall.*)$' - filtertype: age source: name direction: older diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml new file mode 100644 index 000000000..05583d853 --- /dev/null +++ b/salt/curator/files/action/so-ids-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ids:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close IDS indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-ids.*|so-ids.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml new file mode 100644 index 000000000..d7ae725d1 --- /dev/null +++ b/salt/curator/files/action/so-import-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-import:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close Import indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-import.*|so-import.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml new file mode 100644 index 000000000..e58643175 --- /dev/null +++ b/salt/curator/files/action/so-osquery-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-osquery:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close osquery indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-osquery.*|so-osquery.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml new file mode 100644 index 000000000..6243fabd6 --- /dev/null +++ b/salt/curator/files/action/so-ossec-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ossec:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close ossec indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-ossec.*|so-ossec.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml new file mode 100644 index 000000000..da0fafcbb --- /dev/null +++ b/salt/curator/files/action/so-strelka-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-strelka:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close Strelka indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-strelka.*|so-strelka.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml new file mode 100644 index 000000000..225458048 --- /dev/null +++ b/salt/curator/files/action/so-syslog-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-syslog:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close syslog indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-syslog.*|so-syslog.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml new file mode 100644 index 000000000..7692d26eb --- /dev/null +++ b/salt/curator/files/action/so-zeek-close.yml @@ -0,0 +1,29 @@ +{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zeek:close', 30) -%} +--- +# Remember, leave a key empty if there is no value. None will be a string, +# not a Python "NoneType" +# +# Also remember that all examples have 'disable_action' set to True. If you +# want to use this action as a template, be sure to set this to False after +# copying it. +actions: + 1: + action: close + description: >- + Close Zeek indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(logstash-zeek.*|so-zeek.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index dff6bbb39..11324dd31 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -1,2 +1,2 @@ #!/bin/bash -/usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/close.yml > /dev/null 2>&1 +/usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1 diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index 3d397defc..0d894db2f 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -1,16 +1,16 @@ -{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('node:mainip', '') -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('node:es_port', '') -%} - {%- set LOG_SIZE_LIMIT = salt['pillar.get']('node:log_size_limit', '') -%} -{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('master:mainip', '') -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('master:es_port', '') -%} - {%- set LOG_SIZE_LIMIT = salt['pillar.get']('master:log_size_limit', '') -%} -{%- endif -%} - #!/bin/bash -# + +{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %} + {%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%} + {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port', '') -%} + {%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} +{%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set ELASTICSEARCH_HOST = salt['pillar.get']('manager:mainip', '') -%} + {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port', '') -%} + {%- set LOG_SIZE_LIMIT = salt['pillar.get']('manager:log_size_limit', '') -%} +{%- endif -%} + # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index f6c238a08..3b019923e 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -1,7 +1,7 @@ {% if grains['role'] in ['so-node', 'so-heavynode'] %} - {%- set elasticsearch = salt['pillar.get']('node:mainip', '') -%} -{% elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set elasticsearch = salt['pillar.get']('master:mainip', '') -%} + {%- set elasticsearch = salt['pillar.get']('elasticsearch:mainip', '') -%} +{% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set elasticsearch = salt['pillar.get']('manager:mainip', '') -%} {%- endif %} --- diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 8d3147242..8873f401a 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,6 +1,7 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{% if grains['role'] in ['so-eval', 'so-node', 'so-mastersearch', 'so-heavynode', 'so-standalone'] %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} +{% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone'] %} # Curator # Create the group curatorgroup: @@ -30,18 +31,10 @@ curlogdir: - user: 934 - group: 939 -curcloseconf: - file.managed: - - name: /opt/so/conf/curator/action/close.yml - - source: salt://curator/files/action/close.yml - - user: 934 - - group: 939 - - template: jinja - -curdelconf: - file.managed: - - name: /opt/so/conf/curator/action/delete.yml - - source: salt://curator/files/action/delete.yml +actionconfs: + file.recurse: + - name: /opt/so/conf/curator/action + - source: salt://curator/files/action - user: 934 - group: 939 - template: jinja @@ -119,7 +112,7 @@ so-curatordeletecron: so-curator: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-curator:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-curator:{{ VERSION }} - hostname: curator - name: so-curator - user: curator diff --git a/salt/deprecated-bro/cron/packetloss.sh b/salt/deprecated-bro/cron/packetloss.sh deleted file mode 100644 index 744fd09f4..000000000 --- a/salt/deprecated-bro/cron/packetloss.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -/usr/bin/docker exec so-bro /opt/bro/bin/broctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/bro/logs/packetloss.log diff --git a/salt/deprecated-bro/cron/zeek_clean b/salt/deprecated-bro/cron/zeek_clean deleted file mode 100644 index 24bbc218c..000000000 --- a/salt/deprecated-bro/cron/zeek_clean +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Delete Zeek Logs based on defined CRIT_DISK_USAGE value - -# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -clean () { - -SENSOR_DIR='/nsm' -CRIT_DISK_USAGE=90 -CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %) -LOG="/nsm/bro/logs/zeek_clean.log" - -if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then - while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; - do - TODAY=$(date -u "+%Y-%m-%d") - - # find the oldest Zeek logs directory and exclude today - OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | grep -v $TODAY | head -n 1) - if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ] - then - echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG - exit 0 - else - echo "$(date) - Removing directory: /nsm/bro/logs/$OLDEST_DIR" >> $LOG - rm -rf /nsm/bro/logs/"$OLDEST_DIR" - fi - - # find oldest files in extracted directory and exclude today - OLDEST_EXTRACT=$(find /nsm/bro/extracted -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1) - if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ] - then - echo "$(date) - No old extracted files available to clean up in /nsm/bro/extracted/" >> $LOG - else - OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1` - OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'` - echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG - find /nsm/bro/extracted -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE - do - echo "$(date) - Removing extracted file: $FILE" >> $LOG - rm -f "$FILE" - done - fi - done -else - echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG -fi -} - -clean diff --git a/salt/deprecated-bro/files/local.bro b/salt/deprecated-bro/files/local.bro deleted file mode 100644 index afe4b94ca..000000000 --- a/salt/deprecated-bro/files/local.bro +++ /dev/null @@ -1,139 +0,0 @@ -##! Local site policy. Customize as appropriate. -##! -##! This file will not be overwritten when upgrading or reinstalling! - -# This script logs which scripts were loaded during each run. -@load misc/loaded-scripts - -# Apply the default tuning scripts for common tuning settings. -@load tuning/defaults - -# Estimate and log capture loss. -@load misc/capture-loss - -# Enable logging of memory, packet and lag statistics. -@load misc/stats - -# Load the scan detection script. -@load misc/scan - -# Detect traceroute being run on the network. This could possibly cause -# performance trouble when there are a lot of traceroutes on your network. -# Enable cautiously. -#@load misc/detect-traceroute - -# Generate notices when vulnerable versions of software are discovered. -# The default is to only monitor software found in the address space defined -# as "local". Refer to the software framework's documentation for more -# information. -@load frameworks/software/vulnerable - -# Detect software changing (e.g. attacker installing hacked SSHD). -@load frameworks/software/version-changes - -# This adds signatures to detect cleartext forward and reverse windows shells. -@load-sigs frameworks/signatures/detect-windows-shells - -# Load all of the scripts that detect software in various protocols. -@load protocols/ftp/software -@load protocols/smtp/software -@load protocols/ssh/software -@load protocols/http/software -# The detect-webapps script could possibly cause performance trouble when -# running on live traffic. Enable it cautiously. -#@load protocols/http/detect-webapps - -# This script detects DNS results pointing toward your Site::local_nets -# where the name is not part of your local DNS zone and is being hosted -# externally. Requires that the Site::local_zones variable is defined. -@load protocols/dns/detect-external-names - -# Script to detect various activity in FTP sessions. -@load protocols/ftp/detect - -# Scripts that do asset tracking. -@load protocols/conn/known-hosts -@load protocols/conn/known-services -@load protocols/ssl/known-certs - -# This script enables SSL/TLS certificate validation. -@load protocols/ssl/validate-certs - -# This script prevents the logging of SSL CA certificates in x509.log -@load protocols/ssl/log-hostcerts-only - -# Uncomment the following line to check each SSL certificate hash against the ICSI -# certificate notary service; see http://notary.icsi.berkeley.edu . -# @load protocols/ssl/notary - -# If you have libGeoIP support built in, do some geographic detections and -# logging for SSH traffic. -@load protocols/ssh/geo-data -# Detect hosts doing SSH bruteforce attacks. -@load protocols/ssh/detect-bruteforcing -# Detect logins using "interesting" hostnames. -@load protocols/ssh/interesting-hostnames - -# Detect SQL injection attacks. -@load protocols/http/detect-sqli - -#### Network File Handling #### - -# Enable MD5 and SHA1 hashing for all files. -@load frameworks/files/hash-all-files - -# Detect SHA1 sums in Team Cymru's Malware Hash Registry. -@load frameworks/files/detect-MHR - -# Uncomment the following line to enable detection of the heartbleed attack. Enabling -# this might impact performance a bit. -# @load policy/protocols/ssl/heartbleed - -# Uncomment the following line to enable logging of connection VLANs. Enabling -# this adds two VLAN fields to the conn.log file. This may not work properly -# since we use AF_PACKET and it strips VLAN tags. -# @load policy/protocols/conn/vlan-logging - -# Uncomment the following line to enable logging of link-layer addresses. Enabling -# this adds the link-layer address for each connection endpoint to the conn.log file. -# @load policy/protocols/conn/mac-logging - -# Uncomment the following line to enable the SMB analyzer. The analyzer -# is currently considered a preview and therefore not loaded by default. -@load base/protocols/smb - -# BPF Configuration -@load securityonion/bpfconf - -# Add the interface to the log event -#@load securityonion/add-interface-to-logs.bro - -# Add Sensor Name to the conn.log -#@load securityonion/conn-add-sensorname.bro - -# File Extraction -#@load securityonion/file-extraction - -# Intel from Mandiant APT1 Report -#@load securityonion/apt1 - -# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271 -#@load securityonion/shellshock - -# JA3 - SSL Detection Goodness -@load policy/ja3 - -# HASSH -@load policy/hassh - -# You can load your own intel into: -# /opt/so/saltstack/bro/policy/intel/ on the master -@load intel - -# Load a custom Bro policy -# /opt/so/saltstack/bro/policy/custom/ on the master -#@load custom/somebropolicy.bro - -# Write logs in JSON -redef LogAscii::use_json = T; -redef LogAscii::json_timestamps = JSON::TS_ISO8601; diff --git a/salt/deprecated-bro/files/local.bro.community b/salt/deprecated-bro/files/local.bro.community deleted file mode 100644 index 2ae12d7f2..000000000 --- a/salt/deprecated-bro/files/local.bro.community +++ /dev/null @@ -1,133 +0,0 @@ -##! Local site policy. Customize as appropriate. -##! -##! This file will not be overwritten when upgrading or reinstalling! - -# This script logs which scripts were loaded during each run. -@load misc/loaded-scripts - -# Apply the default tuning scripts for common tuning settings. -@load tuning/defaults - -# Estimate and log capture loss. -@load misc/capture-loss - -# Enable logging of memory, packet and lag statistics. -@load misc/stats - -# Load the scan detection script. -@load misc/scan - -# Detect traceroute being run on the network. This could possibly cause -# performance trouble when there are a lot of traceroutes on your network. -# Enable cautiously. -#@load misc/detect-traceroute - -# Generate notices when vulnerable versions of software are discovered. -# The default is to only monitor software found in the address space defined -# as "local". Refer to the software framework's documentation for more -# information. -@load frameworks/software/vulnerable - -# Detect software changing (e.g. attacker installing hacked SSHD). -@load frameworks/software/version-changes - -# This adds signatures to detect cleartext forward and reverse windows shells. -@load-sigs frameworks/signatures/detect-windows-shells - -# Load all of the scripts that detect software in various protocols. -@load protocols/ftp/software -@load protocols/smtp/software -@load protocols/ssh/software -@load protocols/http/software -# The detect-webapps script could possibly cause performance trouble when -# running on live traffic. Enable it cautiously. -#@load protocols/http/detect-webapps - -# This script detects DNS results pointing toward your Site::local_nets -# where the name is not part of your local DNS zone and is being hosted -# externally. Requires that the Site::local_zones variable is defined. -@load protocols/dns/detect-external-names - -# Script to detect various activity in FTP sessions. -@load protocols/ftp/detect - -# Scripts that do asset tracking. -@load protocols/conn/known-hosts -@load protocols/conn/known-services -@load protocols/ssl/known-certs - -# This script enables SSL/TLS certificate validation. -@load protocols/ssl/validate-certs - -# This script prevents the logging of SSL CA certificates in x509.log -@load protocols/ssl/log-hostcerts-only - -# Uncomment the following line to check each SSL certificate hash against the ICSI -# certificate notary service; see http://notary.icsi.berkeley.edu . -# @load protocols/ssl/notary - -# If you have libGeoIP support built in, do some geographic detections and -# logging for SSH traffic. -@load protocols/ssh/geo-data -# Detect hosts doing SSH bruteforce attacks. -@load protocols/ssh/detect-bruteforcing -# Detect logins using "interesting" hostnames. -@load protocols/ssh/interesting-hostnames - -# Detect SQL injection attacks. -@load protocols/http/detect-sqli - -#### Network File Handling #### - -# Enable MD5 and SHA1 hashing for all files. -@load frameworks/files/hash-all-files - -# Detect SHA1 sums in Team Cymru's Malware Hash Registry. -@load frameworks/files/detect-MHR - -# Uncomment the following line to enable detection of the heartbleed attack. Enabling -# this might impact performance a bit. -# @load policy/protocols/ssl/heartbleed - -# Uncomment the following line to enable logging of connection VLANs. Enabling -# this adds two VLAN fields to the conn.log file. This may not work properly -# since we use AF_PACKET and it strips VLAN tags. -# @load policy/protocols/conn/vlan-logging - -# Uncomment the following line to enable logging of link-layer addresses. Enabling -# this adds the link-layer address for each connection endpoint to the conn.log file. -# @load policy/protocols/conn/mac-logging - -# Uncomment the following line to enable the SMB analyzer. The analyzer -# is currently considered a preview and therefore not loaded by default. -# @load policy/protocols/smb - -# Add the interface to the log event -#@load securityonion/add-interface-to-logs.bro - -# Add Sensor Name to the conn.log -#@load securityonion/conn-add-sensorname.bro - -# File Extraction -#@load securityonion/file-extraction - -# Intel from Mandiant APT1 Report -#@load securityonion/apt1 - -# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271 -#@load securityonion/shellshock - -# JA3 - SSL Detection Goodness -@load policy/ja3 - -# You can load your own intel into: -# /opt/so/saltstack/bro/policy/intel/ on the master -@load intel - -# Load a custom Bro policy -# /opt/so/saltstack/bro/policy/custom/ on the master -#@load custom/somebropolicy.bro - -# Use JSON -redef LogAscii::use_json = T; -redef LogAscii::json_timestamps = JSON::TS_ISO8601; diff --git a/salt/deprecated-bro/files/node.cfg b/salt/deprecated-bro/files/node.cfg deleted file mode 100644 index 6f9608113..000000000 --- a/salt/deprecated-bro/files/node.cfg +++ /dev/null @@ -1,47 +0,0 @@ -{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - -{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %} -{%- if salt['pillar.get']('sensor:bro_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:bro_proxies', '1') %} -{%- else %} - {%- if salt['pillar.get']('sensor:bro_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %} - {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %} - {%- endif %} -{%- endif %} -[manager] -type=manager -host=localhost - -[logger] -type=logger -host=localhost - -[proxy] -type=proxy -host=localhost - -[worker-1] -type=worker -host=localhost -interface=af_packet::{{ interface }} -lb_method=custom - -{%- if salt['pillar.get']('sensor:bro_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }} -{%- else %} -lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }} -{%- endif %} -{%- if salt['pillar.get']('sensor:bro_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }} -{%- endif %} -af_packet_fanout_id=23 -af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size=128*1024*1024 -{%- else %} -[brosa] -type=standalone -host=localhost -interface={{ interface }} -{%- endif %} diff --git a/salt/deprecated-bro/init.sls b/salt/deprecated-bro/init.sls deleted file mode 100644 index 8f36be420..000000000 --- a/salt/deprecated-bro/init.sls +++ /dev/null @@ -1,206 +0,0 @@ -{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %} -{% set BPF_STATUS = 0 %} - -# Bro Salt State -# Add Bro group -brogroup: - group.present: - - name: bro - - gid: 937 - -# Add Bro User -bro: - user.present: - - uid: 937 - - gid: 937 - - home: /home/bro - -# Create some directories -bropolicydir: - file.directory: - - name: /opt/so/conf/bro/policy - - user: 937 - - group: 939 - - makedirs: True - -# Bro Log Directory -brologdir: - file.directory: - - name: /nsm/bro/logs - - user: 937 - - group: 939 - - makedirs: True - -# Bro Spool Directory -brospooldir: - file.directory: - - name: /nsm/bro/spool/manager - - user: 937 - - makedirs: true - -# Bro extracted directory -broextractdir: - file.directory: - - name: /nsm/bro/extracted - - user: 937 - - group: 939 - - makedirs: True - -brosfafincompletedir: - file.directory: - - name: /nsm/faf/files/incomplete - - user: 937 - - makedirs: true - -brosfafcompletedir: - file.directory: - - name: /nsm/faf/files/complete - - user: 937 - - makedirs: true - -# Sync the policies -bropolicysync: - file.recurse: - - name: /opt/so/conf/bro/policy - - source: salt://bro/policy - - user: 937 - - group: 939 - - template: jinja - -# Sync node.cfg -nodecfgsync: - file.managed: - - name: /opt/so/conf/bro/node.cfg - - source: salt://bro/files/node.cfg - - user: 937 - - group: 939 - - template: jinja - -plcronscript: - file.managed: - - name: /usr/local/bin/packetloss.sh - - source: salt://bro/cron/packetloss.sh - - mode: 755 - -zeekcleanscript: - file.managed: - - name: /usr/local/bin/zeek_clean - - source: salt://bro/cron/zeek_clean - - mode: 755 - -/usr/local/bin/zeek_clean: - cron.present: - - user: root - - minute: '*' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -/usr/local/bin/packetloss.sh: - cron.present: - - user: root - - minute: '*/10' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -# BPF compilation and configuration -{% if BPF_ZEEK %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ") ) %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_STATUS = 1 %} - {% else %} -zeekbpfcompilationfailure: - test.configurable_test_state: - - changes: False - - result: False - - comment: "BPF Syntax Error - Discarding Specified BPF" - {% endif %} -{% endif %} - -zeekbpf: - file.managed: - - name: /opt/so/conf/bro/bpf - - user: 940 - - group: 940 - {% if BPF_STATUS %} - - contents_pillar: zeek:bpf - {% else %} - - contents: - - "ip or not ip" - {% endif %} - -# Sync local.bro -{% if salt['pillar.get']('static:broversion', '') == 'COMMUNITY' %} -localbrosync: - file.managed: - - name: /opt/so/conf/bro/local.bro - - source: salt://bro/files/local.bro.community - - user: 937 - - group: 939 - - template: jinja - -so-communitybroimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-communitybro:HH1.0.3 - -so-bro: - docker_container.running: - - require: - - so-communitybroimage - - image: docker.io/soshybridhunter/so-communitybro:HH1.0.3 - - privileged: True - - binds: - - /nsm/bro/logs:/nsm/bro/logs:rw - - /nsm/bro/spool:/nsm/bro/spool:rw - - /nsm/bro/extracted:/nsm/bro/extracted:rw - - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro - - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro - - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro - - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro - - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw - - network_mode: host - - watch: - - file: /opt/so/conf/bro/local.bro - - file: /opt/so/conf/bro/node.cfg - - file: /opt/so/conf/bro/policy - -{% else %} -localbrosync: - file.managed: - - name: /opt/so/conf/bro/local.bro - - source: salt://bro/files/local.bro - - user: 937 - - group: 939 - - template: jinja - -so-broimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-bro:HH1.1.1 - -so-bro: - docker_container.running: - - require: - - so-broimage - - image: docker.io/soshybridhunter/so-bro:HH1.1.1 - - privileged: True - - binds: - - /nsm/bro/logs:/nsm/bro/logs:rw - - /nsm/bro/spool:/nsm/bro/spool:rw - - /nsm/bro/extracted:/nsm/bro/extracted:rw - - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro - - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro - - /opt/so/conf/bro/bpf:/opt/bro/share/bro/site/bpf:ro - - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro - - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro - - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw - - network_mode: host - - watch: - - file: /opt/so/conf/bro/local.bro - - file: /opt/so/conf/bro/node.cfg - - file: /opt/so/conf/bro/policy - - file: /opt/so/conf/bro/bpf -{% endif %} diff --git a/salt/deprecated-bro/policy/intel/__load__.bro b/salt/deprecated-bro/policy/intel/__load__.bro deleted file mode 100644 index 4a4d603a7..000000000 --- a/salt/deprecated-bro/policy/intel/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -#Intel diff --git a/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro b/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro deleted file mode 100644 index 674b9272a..000000000 --- a/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro +++ /dev/null @@ -1,20 +0,0 @@ -{%- set interface = salt['pillar.get']('sensor:interface', '0') %} -global interface = "{{ interface }}"; - -event bro_init() - { - if ( ! reading_live_traffic() ) - return; - - Log::remove_default_filter(HTTP::LOG); - Log::add_filter(HTTP::LOG, [$name = "http-interfaces", - $path_func(id: Log::ID, path: string, rec: HTTP::Info) = - { - local peer = get_event_peer()$descr; - if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface ) - return cat("http_", Cluster::nodes[peer]$interface); - else - return "http"; - } - ]); - } diff --git a/salt/deprecated-bro/policy/securityonion/apt1/__load__.bro b/salt/deprecated-bro/policy/securityonion/apt1/__load__.bro deleted file mode 100644 index de931eaac..000000000 --- a/salt/deprecated-bro/policy/securityonion/apt1/__load__.bro +++ /dev/null @@ -1,9 +0,0 @@ -@load frameworks/intel/seen -@load frameworks/intel/do_notice -@load frameworks/files/hash-all-files - -redef Intel::read_files += { - fmt("%s/apt1-fqdn.dat", @DIR), - fmt("%s/apt1-md5.dat", @DIR), - fmt("%s/apt1-certs.dat", @DIR) -}; diff --git a/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat deleted file mode 100644 index 3f5e643ac..000000000 --- a/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat +++ /dev/null @@ -1,26 +0,0 @@ -#fields indicator indicator_type meta.source meta.desc meta.do_notice -b054e26ef827fbbf5829f84a9bdbb697a5b042fc Intel::CERT_HASH Mandiant APT1 Report ALPHA T -7bc0cc2cf7c3a996c32dbe7e938993f7087105b4 Intel::CERT_HASH Mandiant APT1 Report AOL T -7855c132af1390413d4e4ff4ead321f8802d8243 Intel::CERT_HASH Mandiant APT1 Report AOL T -f3e3c590d7126bd227733e9d8313d2575c421243 Intel::CERT_HASH Mandiant APT1 Report AOL T -d4d4e896ce7d73b573f0a0006080a246aec61fe7 Intel::CERT_HASH Mandiant APT1 Report AOL T -bcdf4809c1886ac95478bbafde246d0603934298 Intel::CERT_HASH Mandiant APT1 Report AOL T -6b4855df8afc8d57a671fe5ed628f6d88852a922 Intel::CERT_HASH Mandiant APT1 Report AOL T -d50fdc82c328319ac60f256d3119b8708cd5717b Intel::CERT_HASH Mandiant APT1 Report AOL T -70b48d5177eebe9c762e9a37ecabebfd10e1b7e9 Intel::CERT_HASH Mandiant APT1 Report AOL T -3a6a299b764500ce1b6e58a32a257139d61a3543 Intel::CERT_HASH Mandiant APT1 Report AOL T -bf4f90e0029b2263af1141963ddf2a0c71a6b5fb Intel::CERT_HASH Mandiant APT1 Report AOL T -b21139583dec0dae344cca530690ec1f344acc79 Intel::CERT_HASH Mandiant APT1 Report AOL T -21971ffef58baf6f638df2f7e2cceb4c58b173c8 Intel::CERT_HASH Mandiant APT1 Report EMAIL T -04ecff66973c92a1c348666d5a4738557cce0cfc Intel::CERT_HASH Mandiant APT1 Report IBM T -f97d1a703aec44d0f53a3a294e33acda43a49de1 Intel::CERT_HASH Mandiant APT1 Report IBM T -c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe Intel::CERT_HASH Mandiant APT1 Report IBM T -1b27a897cda019da2c3a6dc838761871e8bf5b5d Intel::CERT_HASH Mandiant APT1 Report LAME T -d515996e8696612dc78fc6db39006466fc6550df Intel::CERT_HASH Mandiant APT1 Report MOON-NIGHT T -8f79315659e59c79f1301ef4aee67b18ae2d9f1c Intel::CERT_HASH Mandiant APT1 Report NONAME T -a57a84975e31e376e3512da7b05ad06ef6441f53 Intel::CERT_HASH Mandiant APT1 Report NS T -b3db37a0edde97b3c3c15da5f2d81d27af82f583 Intel::CERT_HASH Mandiant APT1 Report SERVER (PEM) T -6d8f1454f6392361fb2464b744d4fc09eee5fcfd Intel::CERT_HASH Mandiant APT1 Report SUR T -b66e230f404b2cc1c033ccacda5d0a14b74a2752 Intel::CERT_HASH Mandiant APT1 Report VIRTUALLYTHERE T -4acbadb86a91834493dde276736cdf8f7ef5d497 Intel::CERT_HASH Mandiant APT1 Report WEBMAIL T -86a48093d9b577955c4c9bd19e30536aae5543d4 Intel::CERT_HASH Mandiant APT1 Report YAHOO T \ No newline at end of file diff --git a/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat deleted file mode 100644 index f0a57f8c3..000000000 --- a/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat +++ /dev/null @@ -1,2049 +0,0 @@ -#fields indicator indicator_type meta.source meta.do_notice -# The following line is for testing only. Please keep it commented out when running in production. -#time.windows.com Intel::DOMAIN Test FQDN T -advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -attnpower.com Intel::DOMAIN Mandiant APT1 Report T -aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -avvmail.com Intel::DOMAIN Mandiant APT1 Report T -bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -bigish.net Intel::DOMAIN Mandiant APT1 Report T -blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -blackcake.net Intel::DOMAIN Mandiant APT1 Report T -bluecoate.com Intel::DOMAIN Mandiant APT1 Report T -booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -businessformars.com Intel::DOMAIN Mandiant APT1 Report T -busketball.com Intel::DOMAIN Mandiant APT1 Report T -canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -cometoway.org Intel::DOMAIN Mandiant APT1 Report T -companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -competrip.com Intel::DOMAIN Mandiant APT1 Report T -comrepair.net Intel::DOMAIN Mandiant APT1 Report T -conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -copporationnews.com Intel::DOMAIN Mandiant APT1 Report T -cslisten.com Intel::DOMAIN Mandiant APT1 Report T -defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -giftnews.org Intel::DOMAIN Mandiant APT1 Report T -globalowa.com Intel::DOMAIN Mandiant APT1 Report T -gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -hkcastte.com Intel::DOMAIN Mandiant APT1 Report T -hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -hvmetal.com Intel::DOMAIN Mandiant APT1 Report T -idirectech.com Intel::DOMAIN Mandiant APT1 Report T -ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -infosupports.com Intel::DOMAIN Mandiant APT1 Report T -issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -maltempata.com Intel::DOMAIN Mandiant APT1 Report T -marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -msnhome.org Intel::DOMAIN Mandiant APT1 Report T -myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -nationtour.net Intel::DOMAIN Mandiant APT1 Report T -newsesport.com Intel::DOMAIN Mandiant APT1 Report T -newsonet.net Intel::DOMAIN Mandiant APT1 Report T -newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -newspappers.org Intel::DOMAIN Mandiant APT1 Report T -nirvanaol.com Intel::DOMAIN Mandiant APT1 Report T -ns06.net Intel::DOMAIN Mandiant APT1 Report T -nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -olmusic100.com Intel::DOMAIN Mandiant APT1 Report T -onefastgame.net Intel::DOMAIN Mandiant APT1 Report T -oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -pcclubddk.net Intel::DOMAIN Mandiant APT1 Report T -phoenixtvus.com Intel::DOMAIN Mandiant APT1 Report T -pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -progammerli.com Intel::DOMAIN Mandiant APT1 Report T -purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -safalife.com Intel::DOMAIN Mandiant APT1 Report T -saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -searchforca.com Intel::DOMAIN Mandiant APT1 Report T -shepmas.com Intel::DOMAIN Mandiant APT1 Report T -skyswim.net Intel::DOMAIN Mandiant APT1 Report T -softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -staycools.net Intel::DOMAIN Mandiant APT1 Report T -symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -syscation.com Intel::DOMAIN Mandiant APT1 Report T -syscation.net Intel::DOMAIN Mandiant APT1 Report T -tfxdccssl.net Intel::DOMAIN Mandiant APT1 Report T -thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -tibethome.org Intel::DOMAIN Mandiant APT1 Report T -todayusa.org Intel::DOMAIN Mandiant APT1 Report T -usabbs.org Intel::DOMAIN Mandiant APT1 Report T -usapappers.com Intel::DOMAIN Mandiant APT1 Report T -ushongkong.org Intel::DOMAIN Mandiant APT1 Report T -usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -usnftc.org Intel::DOMAIN Mandiant APT1 Report T -ustvb.com Intel::DOMAIN Mandiant APT1 Report T -uszzcs.com Intel::DOMAIN Mandiant APT1 Report T -voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -youipcam.com Intel::DOMAIN Mandiant APT1 Report T -08elec.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -09back.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -3ml.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -3pma.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -4cback.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -7cback.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -911.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -a-ad.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-af.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aam.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -aar.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -aarco.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -a-bne.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -abs.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -acer.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -acli-mail.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-co.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -acu.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -adb.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -add.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -addr.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -adi002.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -a-dl.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -admin.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -admin.datastorage01.org Intel::DOMAIN Mandiant APT1 Report T -admin.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -admin.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -adobe.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ads.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -adt.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -adt001.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -adt002.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -adtk.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -adtkl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -adtkl.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -adtlk.bigish.net Intel::DOMAIN Mandiant APT1 Report T -ae.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -a-ec.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-ep.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aero.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -aes.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -a-ex.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -af.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -afda.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-fj.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -africa.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -africa.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -africa.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -africadb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -afw.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -a-ga.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -agl.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -ago.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-gon.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-he.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-he.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -a-if.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-iho.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aiic.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aip.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -airline.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -airplane.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -ait.busketball.com Intel::DOMAIN Mandiant APT1 Report T -a-ja.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -a-jsm.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-jsm.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -ak47.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -ak47.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -alarm.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -alarm.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -alcan.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -alion.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -alone.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -amanda.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -amne.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ams.busketball.com Intel::DOMAIN Mandiant APT1 Report T -amusement.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -analysis.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -anglo.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -anti.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -aol.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-ol.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -aol.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -aol.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -aon.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -a-ov.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -apa.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -apa.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -apa.safalife.com Intel::DOMAIN Mandiant APT1 Report T -apejack.bigish.net Intel::DOMAIN Mandiant APT1 Report T -apekl.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -a-pep.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -app.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -app.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -apple.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -apple.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -apple.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -apple.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -aps.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -apss.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -apss.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ara.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ara.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ara2.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ara2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -arainfo.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -arainfo.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -a-rdr.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -ares.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -argsafhq.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -a-ri.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -armi.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -army.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -army.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -ascn.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -asiv.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -asp.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -asp.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -asp.busketball.com Intel::DOMAIN Mandiant APT1 Report T -asp.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -ass.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -astone.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -atm.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -atom.busketball.com Intel::DOMAIN Mandiant APT1 Report T -a-uac.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-un.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ausi.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -auto.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -auto.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -auto.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -auto.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -auto.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -auto.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -auto.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -avast.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -avph.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -a-za.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -a-za.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -a-zx.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -b.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bab.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -back.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -back.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -back.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -back.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -backsun.busketball.com Intel::DOMAIN Mandiant APT1 Report T -backup.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -backup.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -backup.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -backupsw.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -banner.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -barity.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -basketball.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -bass.busketball.com Intel::DOMAIN Mandiant APT1 Report T -bat.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -bat.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -bat.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -bat.safalife.com Intel::DOMAIN Mandiant APT1 Report T -bbb.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -bbh.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -bbs.busketball.com Intel::DOMAIN Mandiant APT1 Report T -bbs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bbsfu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bcc.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -bcc.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bcc.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -bee.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -bee.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -bee.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -bg-g.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -bhbt.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -bhbt.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -bing.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bitdefender.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bkav.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bkav2007.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bksy.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -black.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -black.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -blackfish.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -bll.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -blog.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -blog.busketball.com Intel::DOMAIN Mandiant APT1 Report T -blog.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -blog.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -blow.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -blue.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -bluefin.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -bmi.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -bob.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -bobo.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -bobo.oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -book.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -book.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -book.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -bot.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -bourne.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -bphb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -bring.busketball.com Intel::DOMAIN Mandiant APT1 Report T -brog.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -bswt.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -built.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -business.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -business.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -business.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -business.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -business.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -business.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -buy.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -buy.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -buycow.busketball.com Intel::DOMAIN Mandiant APT1 Report T -buyer.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -buz.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -c.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -caaid.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cac.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -cac.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -cache.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -cacq.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -cadfait.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -cais.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -cais.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -can.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -canada.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -canary.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -cappuccino.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -car1.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -care.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -care.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -cars.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -carvin.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -catalog.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -ccsukl.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -cdc01.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -cdcd.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cdd.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -cdrnkl.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -cecilia.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ce-ip.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -center.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -center.busketball.com Intel::DOMAIN Mandiant APT1 Report T -center.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ceros.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -cetv.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -chat.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -chat.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -check.staycools.net Intel::DOMAIN Mandiant APT1 Report T -check.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -chicken.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -chicken.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -chivas.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -chq.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -christitannahill.appspot.com Intel::DOMAIN Mandiant APT1 Report T -cib.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -cibuc.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -citrix.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -citt.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -city.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -class.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -client.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -climate.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -climate.oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -clin.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -cman.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -cmp.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -cobh.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -coco.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -code.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -code.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -coe.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -coe.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -coer.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -cok.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -com.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -comfile.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -commpany.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -company.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -compfile.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -compu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -compute.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -conn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -contact.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -contact.bigish.net Intel::DOMAIN Mandiant APT1 Report T -contact.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -contact.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -contact.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -contact.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -content.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -control.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -control.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -cook.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -cool.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -cool.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -corn.busketball.com Intel::DOMAIN Mandiant APT1 Report T -corp.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -corp.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -cost.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -count.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -country.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -cow.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -cowboy.bigish.net Intel::DOMAIN Mandiant APT1 Report T -cowboy.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -crab.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -crab.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -crab.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -crackling123.appspot.com Intel::DOMAIN Mandiant APT1 Report T -cross.busketball.com Intel::DOMAIN Mandiant APT1 Report T -crz.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -cs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -csch.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -csupp.bigish.net Intel::DOMAIN Mandiant APT1 Report T -ctcn.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ctcs.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -ctcs.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -ctimoon.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -ctisk.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -cubbh.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -cubh.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -culture.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -cure.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -current.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -cw.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -cw.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -cw.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -cw.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -cw.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -cwe.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cwe80.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cwel.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -cws.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -d.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -da.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -daa.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -daily.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -data.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -date.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -date.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -date.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -date.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -datehelp.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dating.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -db.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -default.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -defense.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -del.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -demo.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -den.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -denel.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -densun.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -des.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -des.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -develop.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dhfx.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -dias.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -digi.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dith.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -dl.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dlkl.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -dnn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dns.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -dns.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -dns.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -dns.progammerli.com Intel::DOMAIN Mandiant APT1 Report T -dns.webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -dns1.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dnsg.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -do.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -doa.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -docu.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -documents.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -documents.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -documents.busketball.com Intel::DOMAIN Mandiant APT1 Report T -documents.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -documents.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -documents.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -documents.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -documents.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -dod.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -doekl.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -domain.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -domain.busketball.com Intel::DOMAIN Mandiant APT1 Report T -domain.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dorkia.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dot.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -dotnet.safalife.com Intel::DOMAIN Mandiant APT1 Report T -dove.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -down.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -down.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -down.safalife.com Intel::DOMAIN Mandiant APT1 Report T -download.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -download.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -download.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -download.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -download.idirectech.com Intel::DOMAIN Mandiant APT1 Report T -download.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -download.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -downloads.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -downupdate.bigish.net Intel::DOMAIN Mandiant APT1 Report T -dp.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -dq.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -drb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -drinkwater.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -drop.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -dsh.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -dsw.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -dvid.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -dvid.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -dvn.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -dyn.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -dyn.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -dyns.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -e.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -e.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -e.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -e.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -e.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -e.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -e.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -e.microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -e.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -e.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -e.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -e.staycools.net Intel::DOMAIN Mandiant APT1 Report T -e.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -e.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -e.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -e.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -e.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -eaof.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -east.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -eatbeef.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -ecli-cow.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -edit.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -edu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -education.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -education.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -eeaa.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -eee.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -egcc.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -email.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -email.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -email.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -email.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -email.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -email.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -email.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -email.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -email.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -email.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -email.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -email.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -email.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -email.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -email.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -email.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -email.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -email.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -email.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -email.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -email.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -email.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -email.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -email.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -email.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -email.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -email.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -emam.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -en.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -energy.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -energy.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -energy.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -energy.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -energy.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -energy.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -engine.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -engineering.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -environment.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -eoaf.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -epod.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -eu.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -eum.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -europa.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -europe.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -ever.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -everest.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -eye.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -f3tel.bigish.net Intel::DOMAIN Mandiant APT1 Report T -face.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -facebook.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -faq.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fashion.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -fax.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -fax.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -fax.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -fax.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -fax.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -fax.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -fax.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -fax.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -fax.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -fax.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -fax.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -fax.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -fax.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -fcn.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -fed.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ffej.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -ffej.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -fher.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fher.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fhh.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -file.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -file.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -files.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -files.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -fileshare.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -fileyp.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -film.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -fim.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -fim.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -finance.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -finance.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -finance.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -finance.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -finance.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -finance.staycools.net Intel::DOMAIN Mandiant APT1 Report T -finance.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -finance.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -finance.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -finance.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -finance.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -financial.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -fine.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -fineca.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -fineca.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -finekl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -finekl.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -finekl.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -fiona.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fire.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fire1.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -first.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -fjod.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fkfc.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -flash.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -flash.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -flash.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -flash.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -flash.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -flash.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -flash.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -flash.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -flash.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -flash.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -flucare.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -fly.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -fme.busketball.com Intel::DOMAIN Mandiant APT1 Report T -f-mi.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -fmp.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fmp.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -fnem.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fni.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fni.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fni.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -fnpc.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -fnrn.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fntel.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fok.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -follow.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -food.busketball.com Intel::DOMAIN Mandiant APT1 Report T -food.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -football.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -forum.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -free.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -friends.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -froum.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -fs.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -fs.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -fstl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -fstl.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fstl.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -ftp.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -ftp.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -ftp.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -ftp.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -ftp.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -ftp.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -ftp.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -ftp.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -ftp.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -ftp.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -ftp.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -ftp.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -ftp.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -ftp.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -ftp.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -ftp.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -ftp.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -ftp.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -ftp.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -ftp.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ftp.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -ftp.staycools.net Intel::DOMAIN Mandiant APT1 Report T -ftp.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -ftp.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -ftp.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -ftp.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -ftp.ustvb.com Intel::DOMAIN Mandiant APT1 Report T -ftp.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -ftph.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ftrj.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fuck.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -fun.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -function.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -function.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -funny.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -funny.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fwb.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -fwb.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -fwmo.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -fwmo.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -fy.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -fza.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -gaca.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -gaca.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -game.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -game.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -games.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -gannett.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -gatu.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -gayi.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -gee.safalife.com Intel::DOMAIN Mandiant APT1 Report T -gege.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -gege.oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -geneticmedicine.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -geo.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -geology.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -geology.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -gg.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -gg.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -ghma.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -gjjr.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -gjmy.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -gl.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -glj.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -global.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -global.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -globalization.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -glx.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -gmail.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -gmail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -gmail.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -google.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -goverment.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -green.safalife.com Intel::DOMAIN Mandiant APT1 Report T -ground.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -ground.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ground.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -gsti.busketball.com Intel::DOMAIN Mandiant APT1 Report T -gsup.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -half.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -half.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -happy.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -happy.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -happy.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -happy.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -happyfish.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -hav.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -health.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -hello.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -help.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -help.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -help.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -help.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -help.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -help.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -help.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -hi.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -hill.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -hill.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -hill.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -hill.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -hm.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -home.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -home.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -home.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -home.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -home.staycools.net Intel::DOMAIN Mandiant APT1 Report T -hon.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -host.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -host.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -host.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -hostname.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -hot.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -hotel.safalife.com Intel::DOMAIN Mandiant APT1 Report T -house.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -house.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -house.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -housew.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -hpd.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -hq.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -hrsy.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -https.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -https.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -https.progammerli.com Intel::DOMAIN Mandiant APT1 Report T -hu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -hun.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -hy.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -hy.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -iabk.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -iabk.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -iai.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -iamge.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -idtheft.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -iea.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -iexchangefxn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ifc.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -image.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -image.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -image.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -image.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -image.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -images.spmiller.org Intel::DOMAIN Mandiant APT1 Report T -important.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -index.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -india.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -indian.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -indian.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -indonesia.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -info.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -info.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -info.bigish.net Intel::DOMAIN Mandiant APT1 Report T -info.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -info.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -info.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -info.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -info.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -info.idirectech.com Intel::DOMAIN Mandiant APT1 Report T -info.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -info.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -info.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -info.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -info.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -info.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -info.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -info.theagenews.com Intel::DOMAIN Mandiant APT1 Report T -info.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -info.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -info.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -information.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -information.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -information.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -information.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -information.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -ins.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -insat.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -int.busketball.com Intel::DOMAIN Mandiant APT1 Report T -int.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -intel.busketball.com Intel::DOMAIN Mandiant APT1 Report T -intel.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -intel.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -inter.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -international.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -invest.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -ips.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -iri.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -iri.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -irl.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -irs.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -irs.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -irsauctions.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -irssales.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -iscu.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -iswb.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -it.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -it.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -itau.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -itinfo.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -japan.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -java.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -jbei.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -jeff.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -jeph.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -jf.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -jfn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -jfs.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -jhd.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -jhd.safalife.com Intel::DOMAIN Mandiant APT1 Report T -jhsfkjlhjsf.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -job.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -job.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -job.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -jobs.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -johnford985.appspot.com Intel::DOMAIN Mandiant APT1 Report T -jr.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -juda.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -jwss.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -kf.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -khoda.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -king-kl.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kit.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -kit.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -klape.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -klati.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klbakerm.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klbar.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klbis.bigish.net Intel::DOMAIN Mandiant APT1 Report T -klbis.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -klbis.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -kl-care.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klcirf.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -klcocon.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -klecca.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klecca.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klenvi.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -kl-hqun.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -kl-hqun.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kliee.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kl-knab.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kllhd.bigish.net Intel::DOMAIN Mandiant APT1 Report T -kllhd.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -kl-mfa.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klmfat.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klnrdc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -klnrdc.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klotp.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -klpiec.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kl-rfc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kl-rio.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kluscc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -kl-vfw.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -klwest.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -knab.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -knews.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -koa.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -ks.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -ks.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -ks.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -ks.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ks.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -ks.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -ks.petrotdl.com Intel::DOMAIN Mandiant APT1 Report T -ks.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -ks.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -ksaa.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ksap.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -kshan.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -kusw.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -lab.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -lan.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -launch.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -law.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -law.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -lawste.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lawste2.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lcan.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -leets.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -leon.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -lhd.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -lib.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -life.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -link.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -linkup.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -linux.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -lion.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -listen.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -live.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -living.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ln.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lnz.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -loading.bigish.net Intel::DOMAIN Mandiant APT1 Report T -local.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -log.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -log.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -log.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -log.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -log.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -login.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -login.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -login.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -login.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -login.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -login.safalife.com Intel::DOMAIN Mandiant APT1 Report T -logo.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -logo.staycools.net Intel::DOMAIN Mandiant APT1 Report T -logo.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -logon.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -logs.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -logs.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -logs.pcclubddk.net Intel::DOMAIN Mandiant APT1 Report T -logs.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -lone.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -loper.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lost.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -lost.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -love.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -love.busketball.com Intel::DOMAIN Mandiant APT1 Report T -love.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -lovecocon.bigish.net Intel::DOMAIN Mandiant APT1 Report T -loveit.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -lrl.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -lucie.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -lucy.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -lucy.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -lucy.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -lucy.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -lucy2.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -lucy2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -lw.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -lw.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -lw.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -lw.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -lwave.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -m.cslisten.com Intel::DOMAIN Mandiant APT1 Report T -m.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -macfee.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -magazine.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -magazine.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -magic.tfxdccssl.net Intel::DOMAIN Mandiant APT1 Report T -mail.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -mail.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -mail.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -mail.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -mail.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -mail.bigish.net Intel::DOMAIN Mandiant APT1 Report T -mail.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -mail.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -mail.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -mail.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -mail.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -mail.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -mail.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -mail.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -mail.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -mail.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -mail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -mail.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -mail.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -mail.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -mail.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -mail.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -mail.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -mail.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -mail.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -mail.oplaymagzine.com Intel::DOMAIN Mandiant APT1 Report T -mail.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -mail.safalife.com Intel::DOMAIN Mandiant APT1 Report T -mail.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -mail.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -mail.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -mail.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -mail.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -mail.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -mail.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -mail.ustvb.com Intel::DOMAIN Mandiant APT1 Report T -mail.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -mail.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -mail2.syscation.net Intel::DOMAIN Mandiant APT1 Report T -mailbbs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -mails.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -mailsrv.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -main.busketball.com Intel::DOMAIN Mandiant APT1 Report T -man001.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -man001.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -map.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -maria.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -marines.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -max.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -mc.bigish.net Intel::DOMAIN Mandiant APT1 Report T -mcsc.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -me.busketball.com Intel::DOMAIN Mandiant APT1 Report T -media.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -media.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -media.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -media.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -media.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -media.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -media.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -media.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -medicine.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -medicine.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -meg.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -meily.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -memberd.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -message.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -messenger.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -method.ns06.net Intel::DOMAIN Mandiant APT1 Report T -mfa.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -mfc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -micro.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -microsoft.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -milk.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -mini.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -mint.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -mko.busketball.com Intel::DOMAIN Mandiant APT1 Report T -mlls.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -mobile.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -money.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -moon.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -moon.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -mor.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -more.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -mos.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -moto.busketball.com Intel::DOMAIN Mandiant APT1 Report T -moto.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -moto.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -moto1.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -moto2.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -motoa.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -motor.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -movie.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -movies.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -mpe.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -msn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -music.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -music.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -music.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -music.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -mx.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -my.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -my550.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -myfamily.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -mynet.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -myoil.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -mysql.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -na.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -na.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -nat.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -nature.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -nav.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -navi.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -navi.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -nci.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -nci.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -nci.safalife.com Intel::DOMAIN Mandiant APT1 Report T -ncih.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -ncsc.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -ne.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -nes.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -net.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -net.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -new.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -new.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -new.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -new.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -newport.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -newport.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -newport.safalife.com Intel::DOMAIN Mandiant APT1 Report T -news.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -news.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -news.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -news.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -news.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -news.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -news.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -news.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -news.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -news.busketball.com Intel::DOMAIN Mandiant APT1 Report T -news.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -news.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -news.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -news.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -news.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -news.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -news.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -news.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -news.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -news.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -news.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -news.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -news.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -news.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -news.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -news.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -news.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -news.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -news.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -news.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -news.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -news.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -news.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -news.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -news.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -news.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -news.pcclubddk.net Intel::DOMAIN Mandiant APT1 Report T -news.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -news.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -news.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -news.safalife.com Intel::DOMAIN Mandiant APT1 Report T -news.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -news.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -news.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -news.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -news.staycools.net Intel::DOMAIN Mandiant APT1 Report T -news.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -news.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -news.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -news.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -news.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -news.yahoo.com.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -news.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -newstar.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -newstar.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -newstime.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -newyork.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -ngc.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ngng.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nh.microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -nhc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -nhs.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -nhs1.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -nhs1.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -nhsl.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -nic.safalife.com Intel::DOMAIN Mandiant APT1 Report T -nicenews.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -night.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nis.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -nl.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nod.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -nol.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -norin.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -notebook.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nousage.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -nrfn.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -ns.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -nt.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -nucor001.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -nukor001.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -nullmx.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -num.safalife.com Intel::DOMAIN Mandiant APT1 Report T -o.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -object.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -office.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -okie.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -old.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -oliver.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -once.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -onk.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -online.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -online.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -online.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -online.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -online.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -ope.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -opp.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -oppa.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -opts.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -orca.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -ord.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -orient.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -otp.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -otps.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -ou.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou1.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ou1.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou2.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -ou2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou3.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou4.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou5.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou6.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ou7.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -outlook.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -outlooks.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -owa.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -owa.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -owa.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -owa.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -pacific.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pacific.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -pack.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -pact.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -paekl.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -papper.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -papper.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pars.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -part.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -part.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -parth.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -pay.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -pay.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -payse.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pcie.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -pda.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -pda.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -pda.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -pda.staycools.net Intel::DOMAIN Mandiant APT1 Report T -pda.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -pdoc.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -pear.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pear.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pear.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -people.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -phb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -phe.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -philippines.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -pic.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -picture.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -pink.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -plane.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -planning.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -play.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -play.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pme.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -png.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -pop.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -pop.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -pop.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -pop.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -pop.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -pop.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -pop.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -pop.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -pop.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -pop.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -pop.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -pop.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -pop.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -pop.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -pop.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pop.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -pop.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -pop.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -pop.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -pop.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -pop.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -pop.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -pop.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -pop.staycools.net Intel::DOMAIN Mandiant APT1 Report T -pop.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -pop.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -pop.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -pop.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -pop.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -pop.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -pop.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -pop2.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -pop3.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop3.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -pop4.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop5.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -pop6.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -pop9.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -popw.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -popwk.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -portbab.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -portpop.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -ppt.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -prc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -prefix.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -prefix.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -pro.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -proc.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -proc.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -product.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -program.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -progress.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -protoc.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -psp.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -psp.staycools.net Intel::DOMAIN Mandiant APT1 Report T -psu.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -psu.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -psu.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -ptp.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -pz.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -qedh.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -qhun-mons.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -qiao1.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao1.safalife.com Intel::DOMAIN Mandiant APT1 Report T -qiao2.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao3.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao4.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao5.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao6.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao7.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qiao8.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -qua.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -qual.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -quick.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -quiet.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -qusc12.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -rank.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -rcs.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -reas.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -record.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -records.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -red.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -red.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -reg.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -release.busketball.com Intel::DOMAIN Mandiant APT1 Report T -release.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -release.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -report.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -report.regicsgf.net Intel::DOMAIN Mandiant APT1 Report T -reports.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -research.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -research.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -rice.bigish.net Intel::DOMAIN Mandiant APT1 Report T -rj.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -rj.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -rnew.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -roger.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -root.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -root.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -rou.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -rsut.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -s.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -s.microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -saf.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -saf.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -safbejn.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -safe.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -safe.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -safety.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -safety.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -safety.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -safr.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sale.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -sale.staycools.net Intel::DOMAIN Mandiant APT1 Report T -sales.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -sam.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -sam.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sam.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -satellite.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -sauu.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sav.safalife.com Intel::DOMAIN Mandiant APT1 Report T -sb.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -sbh.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -scc.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -scc.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -science.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -scorpion.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -scpkl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -sea.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -sea001.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -search.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -search.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -search.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -security.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -security.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -security.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -security.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -self.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sells.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -sells.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -send.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -serv.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -serve.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -server.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -service.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -service.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -service.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -service.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -service.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -services.busketball.com Intel::DOMAIN Mandiant APT1 Report T -services.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -servmail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -servmailb.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -servmails.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -set.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -sfn.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -sh.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -share.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -share.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -share.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -share.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -share.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -shit.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -shop.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -shop.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -shop.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -shop.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -shop.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -shot.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -shot.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -shot.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -sifcc.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -signal.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -sinbg.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -sisc.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -sites.progammerli.com Intel::DOMAIN Mandiant APT1 Report T -sk2.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -skills.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -skills.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -sklcenter.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -sky.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -sky.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -sky.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -sky.safalife.com Intel::DOMAIN Mandiant APT1 Report T -slnoa.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -slnoa.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -slrfc.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -slrj.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -slrou.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -slrouji.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -sls.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -slutc.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -sma.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -smile.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -smlk.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -smooth.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -smtp.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -smtp.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -smtp.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -smtp.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -smtp.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -smtp.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -smtp.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -smtp.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -smtp.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -smtp.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -smtp.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -smtp.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -smtp.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -smtp.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -smtp.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -smtp.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -smtp.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.safalife.com Intel::DOMAIN Mandiant APT1 Report T -smtp.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -smtp.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -smtp.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -smtp.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -smtp.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -smtp.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -smtp.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -smtp.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -snoopy.safalife.com Intel::DOMAIN Mandiant APT1 Report T -snoot.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -sns.syscation.com Intel::DOMAIN Mandiant APT1 Report T -sns.syscation.net Intel::DOMAIN Mandiant APT1 Report T -soft.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -soft.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -soft.cnnnewsdaily.com Intel::DOMAIN Mandiant APT1 Report T -soft.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -soft.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -soft.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -software.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -software.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -solar.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -solar.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -solar.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -soler.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -sona.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -sonah.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -songhong.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sope.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -sos.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -sotp.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -source.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -sp.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -sp.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -space.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -spah.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -spahi.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -spckl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -spcmon.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -special.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -sports.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -sports.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -sports.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -sports.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -sports.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -sports.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sports.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -sports.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -sports.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -sports.staycools.net Intel::DOMAIN Mandiant APT1 Report T -sports.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -sports.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -sports.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -sports.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -sports.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -sports3.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -sprts.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -spte.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -squick.bigish.net Intel::DOMAIN Mandiant APT1 Report T -sremx.bigish.net Intel::DOMAIN Mandiant APT1 Report T -srs.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -srs.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -srs.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -srvmail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sslsrv1.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -sslsrv2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -sslsrv5.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -sslsrv5.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -sslsrv6.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -ssun.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -star.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -star.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -star.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -stars.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -stars.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -static.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -stell.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -step.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -stk.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -stk.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -stock.bigish.net Intel::DOMAIN Mandiant APT1 Report T -stock.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -stone.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -stone.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -stulaw.bigish.net Intel::DOMAIN Mandiant APT1 Report T -stuwal.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -stuwal.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -submarine.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -submarine.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -suffering.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -suffering.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -suffering.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -suffering.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -suffering.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -sun.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -sun.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -sun.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -support.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -support.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -support.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -support.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -support.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -support.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -support.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -support.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -support.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -support.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -support.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -support.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -support.webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -sute.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -sw.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -swiss.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -sword.bigish.net Intel::DOMAIN Mandiant APT1 Report T -sword.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -syn.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -sync.ns06.net Intel::DOMAIN Mandiant APT1 Report T -sys.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -sys.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -sys.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -sysj.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -system.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -sysy.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tag.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -tape.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -tape.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -tape.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -tclient.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -tclient.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -teach.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -tech.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -tech.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tech.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -tech.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -tele.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -telnet.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -test.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -test.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -test.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -test.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -test.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -test.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -thanhnien.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -thec.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -think.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -think.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -tia.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -time.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -time.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -time.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -time.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -time1.mediaxsds.net Intel::DOMAIN Mandiant APT1 Report T -times.nytimesnews.net Intel::DOMAIN Mandiant APT1 Report T -tk.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tnjs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tod.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -top.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -topmoney.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -train.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -train.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -travel.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -travel.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -travel.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -travel.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -trb.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -trip.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -trip.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -triu.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -ts.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -tt.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -ttl.tfxdccssl.net Intel::DOMAIN Mandiant APT1 Report T -tx.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -ug-aa.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-aaon.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-aeai.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-ag.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-asg.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-ati.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-bdai.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-bdai.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -ug-bdfa.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-bpd.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-cccc.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-ccr.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-chsaw.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-co.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-cti.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-dfait.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-enrc.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-ga.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-hst.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-hst.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -ug-irpf.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-kfc.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-man.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-mbi.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-nema.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-opm.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-piec.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-pmet.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-pnl.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-rev.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-rj.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -ug-rj.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-sbig.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-tree.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-tta.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-volpe.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -ug-west.hugesoft.org Intel::DOMAIN Mandiant APT1 Report T -unifh.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -up.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -up.safalife.com Intel::DOMAIN Mandiant APT1 Report T -upback.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -update.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -update.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -update.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -update.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -update.busketball.com Intel::DOMAIN Mandiant APT1 Report T -update.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -update.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -update.dnsweb.org Intel::DOMAIN Mandiant APT1 Report T -update.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -update.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -update.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -update.idirectech.com Intel::DOMAIN Mandiant APT1 Report T -update.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -update.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -update.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -update.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -update.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -update.progammerli.com Intel::DOMAIN Mandiant APT1 Report T -update.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -update.safalife.com Intel::DOMAIN Mandiant APT1 Report T -update.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -update.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -update.staycools.net Intel::DOMAIN Mandiant APT1 Report T -update.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -update.tfxdccssl.net Intel::DOMAIN Mandiant APT1 Report T -update.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -update.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -update.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -update.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -update7.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -update8.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -updater.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -updatevn.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -upload.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -u-rfc.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -url.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -url.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -us.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -us.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -us.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -utex.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -value.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -vedio.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -velp.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -via.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -via.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -via.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -video.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -vip.issnbgkit.net Intel::DOMAIN Mandiant APT1 Report T -vip.pcclubddk.net Intel::DOMAIN Mandiant APT1 Report T -vip.sportreadok.net Intel::DOMAIN Mandiant APT1 Report T -vis.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -visual.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -vockl.bigish.net Intel::DOMAIN Mandiant APT1 Report T -vol.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -vop.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -vope.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -vopm.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -vpn.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -vpn.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -vpn.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -vpn.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -vsec.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -vseh.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -walk.bigish.net Intel::DOMAIN Mandiant APT1 Report T -walste.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -wangye.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -wangye.reutersnewsonline.com Intel::DOMAIN Mandiant APT1 Report T -wapi.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -was.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -water.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wave.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -wcasekl.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -wcov.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wdeh.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -weather.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -weather.chileexe77.com Intel::DOMAIN Mandiant APT1 Report T -weather.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -weather.staycools.net Intel::DOMAIN Mandiant APT1 Report T -weather.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -weather.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -web.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -web.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -web.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -web.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -web.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -web.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -web.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -web.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -web.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -web.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -web.thehealthmood.net Intel::DOMAIN Mandiant APT1 Report T -web.webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -webdata.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -webjbs.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -weblog.bigish.net Intel::DOMAIN Mandiant APT1 Report T -weblog.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -webmail.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -webmail.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -webmail.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -webmail.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -webmail.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -webmail.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -webmail.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -webmail.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -webmail.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -webmail.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -webmail.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -webmail.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -webmail.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -webmail.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -webmail.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -webmail.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -webmail.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -webmail.usnewssite.com Intel::DOMAIN Mandiant APT1 Report T -webmail.ustvb.com Intel::DOMAIN Mandiant APT1 Report T -webmail.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -webmail.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -webmailh.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -webmails.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -webmailw.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -webs.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -wed5.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -wed5.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -week.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -week.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -weg.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wehmail.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -west.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -west.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -west1.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -westjoe.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -westking.bigish.net Intel::DOMAIN Mandiant APT1 Report T -westking.comrepair.net Intel::DOMAIN Mandiant APT1 Report T -westkl.blackberrycluter.com Intel::DOMAIN Mandiant APT1 Report T -westkl.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -westnew.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -wfcx.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wff.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wgl.infobusinessus.org Intel::DOMAIN Mandiant APT1 Report T -wgw.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wh1.bigish.net Intel::DOMAIN Mandiant APT1 Report T -what.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -whi.bigish.net Intel::DOMAIN Mandiant APT1 Report T -windows.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wins.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -wish.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -wk.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -wmp.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wnam.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wnara.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wned.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wnew.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -woil.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -women.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wopec.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wopm.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -work.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -work.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -work.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -work.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -work.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -work.yahoodaily.com Intel::DOMAIN Mandiant APT1 Report T -workstation.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -world.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -world.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -wow.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -wow.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -wpcs.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wpot.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -wpot.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wptex.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wpvn.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wpvn.softsolutionbox.net Intel::DOMAIN Mandiant APT1 Report T -wrim.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wsyggfw.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -wtom.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wwab.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -wwebmails.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -wwt.blackcake.net Intel::DOMAIN Mandiant APT1 Report T -www.advanbusiness.com Intel::DOMAIN Mandiant APT1 Report T -www.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -www.aolon1ine.com Intel::DOMAIN Mandiant APT1 Report T -www.applesoftupdate.com Intel::DOMAIN Mandiant APT1 Report T -www.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -www.attnpower.com Intel::DOMAIN Mandiant APT1 Report T -www.aunewsonline.com Intel::DOMAIN Mandiant APT1 Report T -www.avvmail.com Intel::DOMAIN Mandiant APT1 Report T -www.bigish.net Intel::DOMAIN Mandiant APT1 Report T -www.bluecoate.com Intel::DOMAIN Mandiant APT1 Report T -www.bpyoyo.com Intel::DOMAIN Mandiant APT1 Report T -www.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -www.busketball.com Intel::DOMAIN Mandiant APT1 Report T -www.canadatvsite.com Intel::DOMAIN Mandiant APT1 Report T -www.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -www.cnndaily.com Intel::DOMAIN Mandiant APT1 Report T -www.cnndaily.net Intel::DOMAIN Mandiant APT1 Report T -www.cometoway.org Intel::DOMAIN Mandiant APT1 Report T -www.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -www.competrip.com Intel::DOMAIN Mandiant APT1 Report T -www.comtoway.com Intel::DOMAIN Mandiant APT1 Report T -www.conferencesinfo.com Intel::DOMAIN Mandiant APT1 Report T -www.copporationnews.com Intel::DOMAIN Mandiant APT1 Report T -www.defenceonline.net Intel::DOMAIN Mandiant APT1 Report T -www.doemarkennel.com Intel::DOMAIN Mandiant APT1 Report T -www.downloadsite.me Intel::DOMAIN Mandiant APT1 Report T -www.e-cardsshop.com Intel::DOMAIN Mandiant APT1 Report T -www.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -www.freshreaders.net Intel::DOMAIN Mandiant APT1 Report T -www.giftnews.org Intel::DOMAIN Mandiant APT1 Report T -www.globalowa.com Intel::DOMAIN Mandiant APT1 Report T -www.gmailboxes.com Intel::DOMAIN Mandiant APT1 Report T -www.hkcastte.com Intel::DOMAIN Mandiant APT1 Report T -www.hvmetal.com Intel::DOMAIN Mandiant APT1 Report T -www.idirectech.com Intel::DOMAIN Mandiant APT1 Report T -www.ifexcel.com Intel::DOMAIN Mandiant APT1 Report T -www.jjpopp.com Intel::DOMAIN Mandiant APT1 Report T -www.jobsadvanced.com Intel::DOMAIN Mandiant APT1 Report T -www.livemymsn.com Intel::DOMAIN Mandiant APT1 Report T -www.maltempata.com Intel::DOMAIN Mandiant APT1 Report T -www.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -www.microsoft-update-info.com Intel::DOMAIN Mandiant APT1 Report T -www.micyuisyahooapis.com Intel::DOMAIN Mandiant APT1 Report T -www.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -www.myyahoonews.com Intel::DOMAIN Mandiant APT1 Report T -www.nationtour.net Intel::DOMAIN Mandiant APT1 Report T -www.newsesport.com Intel::DOMAIN Mandiant APT1 Report T -www.newsonlinesite.com Intel::DOMAIN Mandiant APT1 Report T -www.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -www.nirvanaol.com Intel::DOMAIN Mandiant APT1 Report T -www.olmusic100.com Intel::DOMAIN Mandiant APT1 Report T -www.online.mcafeepaying.com Intel::DOMAIN Mandiant APT1 Report T -www.phoenixtvus.com Intel::DOMAIN Mandiant APT1 Report T -www.pop-musicsite.com Intel::DOMAIN Mandiant APT1 Report T -www.rssadvanced.org Intel::DOMAIN Mandiant APT1 Report T -www.safety-update.com Intel::DOMAIN Mandiant APT1 Report T -www.satellitebbs.com Intel::DOMAIN Mandiant APT1 Report T -www.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -www.shepmas.com Intel::DOMAIN Mandiant APT1 Report T -www.skyswim.net Intel::DOMAIN Mandiant APT1 Report T -www.staycools.net Intel::DOMAIN Mandiant APT1 Report T -www.symanteconline.net Intel::DOMAIN Mandiant APT1 Report T -www.syscation.com Intel::DOMAIN Mandiant APT1 Report T -www.syscation.net Intel::DOMAIN Mandiant APT1 Report T -www.tibethome.org Intel::DOMAIN Mandiant APT1 Report T -www.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -www.ueopen.com Intel::DOMAIN Mandiant APT1 Report T -www.usabbs.org Intel::DOMAIN Mandiant APT1 Report T -www.usapappers.com Intel::DOMAIN Mandiant APT1 Report T -www.ushongkong.org Intel::DOMAIN Mandiant APT1 Report T -www.ustvb.com Intel::DOMAIN Mandiant APT1 Report T -www.uszzcs.com Intel::DOMAIN Mandiant APT1 Report T -www.voiceofman.com Intel::DOMAIN Mandiant APT1 Report T -www.webservicesupdate.com Intel::DOMAIN Mandiant APT1 Report T -www.widewebsense.com Intel::DOMAIN Mandiant APT1 Report T -www.worthhummer.net Intel::DOMAIN Mandiant APT1 Report T -www.youipcam.com Intel::DOMAIN Mandiant APT1 Report T -www-01.marsbrother.com Intel::DOMAIN Mandiant APT1 Report T -www-049.businessformars.com Intel::DOMAIN Mandiant APT1 Report T -www1.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -www1.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -www1.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -www1.saltlakenews.org Intel::DOMAIN Mandiant APT1 Report T -www2.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -www3.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -wwwcb.newspappers.org Intel::DOMAIN Mandiant APT1 Report T -www-ctr.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -wwwi.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -wwwt.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -x-admin.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -xawh.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -x-book.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -x-fmgg.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -xinge3344.cccpan.com Intel::DOMAIN Mandiant APT1 Report T -xinge3344.ys168.com Intel::DOMAIN Mandiant APT1 Report T -xmer.businessconsults.net Intel::DOMAIN Mandiant APT1 Report T -x-stone.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -xtap.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -xwclient.arrowservice.net Intel::DOMAIN Mandiant APT1 Report T -xwclient.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -xwclient.newsonet.net Intel::DOMAIN Mandiant APT1 Report T -yang.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -yang.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -yang1.bigdepression.net Intel::DOMAIN Mandiant APT1 Report T -yang1.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -yang2.infosupports.com Intel::DOMAIN Mandiant APT1 Report T -yard.earthsolution.org Intel::DOMAIN Mandiant APT1 Report T -ysb.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -ysb.purpledaily.com Intel::DOMAIN Mandiant APT1 Report T -z0.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -z4.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -za.booksonlineclub.com Intel::DOMAIN Mandiant APT1 Report T -zapts.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -zc.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -zero.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T -zh.lksoftvc.net Intel::DOMAIN Mandiant APT1 Report T -zone.aoldaily.com Intel::DOMAIN Mandiant APT1 Report T -zone.canoedaily.com Intel::DOMAIN Mandiant APT1 Report T -zone.companyinfosite.com Intel::DOMAIN Mandiant APT1 Report T -zone.msnhome.org Intel::DOMAIN Mandiant APT1 Report T -zone.searchforca.com Intel::DOMAIN Mandiant APT1 Report T -zone.todayusa.org Intel::DOMAIN Mandiant APT1 Report T -ztl.firefoxupdata.com Intel::DOMAIN Mandiant APT1 Report T diff --git a/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat deleted file mode 100644 index 421549121..000000000 --- a/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat +++ /dev/null @@ -1,1012 +0,0 @@ -#fields indicator indicator_type meta.source meta.do_notice -# The following lines are for testing purposes only. Please keep them commented out when running in production. -#4285358dd748ef74cb8161108e11cb73 Intel::FILE_HASH Test MD5 T -#9593fcbd91fdb1a41d0304bf684d29fd Intel::FILE_HASH Test MD5 T -#e2c33fa7a3802289d46a7c3e4e1df342 Intel::FILE_HASH Test MD5 T -001dd76872d80801692ff942308c64e6 Intel::FILE_HASH Mandiant Apt1 Report T -002325a0a67fded0381b5648d7fe9b8e Intel::FILE_HASH Mandiant Apt1 Report T -00dbb9e1c09dbdafb360f3163ba5a3de Intel::FILE_HASH Mandiant Apt1 Report T -00f24328b282b28bc39960d55603e380 Intel::FILE_HASH Mandiant Apt1 Report T -0115338e11f85d7a2226933712acaae8 Intel::FILE_HASH Mandiant Apt1 Report T -0141955eb5b90ce25b506757ce151275 Intel::FILE_HASH Mandiant Apt1 Report T -0149b7bd7218aab4e257d28469fddb0d Intel::FILE_HASH Mandiant Apt1 Report T -016da6ee744b16656a2ba3107c7a4a29 Intel::FILE_HASH Mandiant Apt1 Report T -01e0dc079d4e33d8edd050c4900818da Intel::FILE_HASH Mandiant Apt1 Report T -024fd07dbdacc7da227bede3449c2b6a Intel::FILE_HASH Mandiant Apt1 Report T -0285bd1fbdd70fd5165260a490564ac8 Intel::FILE_HASH Mandiant Apt1 Report T -02a2d148faba3b6310e7ba81eb62739d Intel::FILE_HASH Mandiant Apt1 Report T -02c65973b6018f5d473d701b3e7508b2 Intel::FILE_HASH Mandiant Apt1 Report T -034374db2d35cf9da6558f54cec8a455 Intel::FILE_HASH Mandiant Apt1 Report T -03ae71eba61af2d497e226da3954f3af Intel::FILE_HASH Mandiant Apt1 Report T -0469a42d71b4a55118b9579c8c772bb6 Intel::FILE_HASH Mandiant Apt1 Report T -0496e3b17cf40c45f495188a368c203a Intel::FILE_HASH Mandiant Apt1 Report T -04a7b7dab5ff8ba1486df9dbe68c748c Intel::FILE_HASH Mandiant Apt1 Report T -04e83832146034f9797d2e8145413daa Intel::FILE_HASH Mandiant Apt1 Report T -04f481d6710ac5d68d0eacac2600a041 Intel::FILE_HASH Mandiant Apt1 Report T -0501bb10d646b29cab7d17a8407010d9 Intel::FILE_HASH Mandiant Apt1 Report T -0522e955aaee70b102e843f14c13a92c Intel::FILE_HASH Mandiant Apt1 Report T -052ec04866e4a67f31845d656531830d Intel::FILE_HASH Mandiant Apt1 Report T -0545a524a6bb0b042f4b00da53fec948 Intel::FILE_HASH Mandiant Apt1 Report T -05552a77620933dd80f1e176736f8fe7 Intel::FILE_HASH Mandiant Apt1 Report T -0583f58ac3d804d28cd433d369b096b8 Intel::FILE_HASH Mandiant Apt1 Report T -0588ffa0a244a2c4431c5c4faac60b1f Intel::FILE_HASH Mandiant Apt1 Report T -05bc8309b93676087d5fb0b58ad5e9d8 Intel::FILE_HASH Mandiant Apt1 Report T -05cc052686fbdf25fb610c1fe120195f Intel::FILE_HASH Mandiant Apt1 Report T -06598b0490133815541c5ac023623e82 Intel::FILE_HASH Mandiant Apt1 Report T -065e63afdfa539727f63af7530b22d2f Intel::FILE_HASH Mandiant Apt1 Report T -078f1e2c528f2318b073e871f73efc21 Intel::FILE_HASH Mandiant Apt1 Report T -079028d315d039da0ffec2728b2c9ef6 Intel::FILE_HASH Mandiant Apt1 Report T -07ae235391f7b290ea3a35067239a290 Intel::FILE_HASH Mandiant Apt1 Report T -07c4032f24ae44614676fbdfe539afe0 Intel::FILE_HASH Mandiant Apt1 Report T -07fe9f901fb4f14e16fb5d114a92b0fc Intel::FILE_HASH Mandiant Apt1 Report T -08084604344b5ed11c2612795b2d3608 Intel::FILE_HASH Mandiant Apt1 Report T -0829207a8400e2814990f79fbdfe7f4d Intel::FILE_HASH Mandiant Apt1 Report T -082cc969b3eb6786e3e951b450b8de0d Intel::FILE_HASH Mandiant Apt1 Report T -089c9e5407ddb464dfeca2e528536395 Intel::FILE_HASH Mandiant Apt1 Report T -08d7679a9c806a2f7d2be26fe9b425ee Intel::FILE_HASH Mandiant Apt1 Report T -08e0d0f5cdfe1bc2e5fc1b992fe1e073 Intel::FILE_HASH Mandiant Apt1 Report T -08f21a020f41f0bcacdc9427f84987da Intel::FILE_HASH Mandiant Apt1 Report T -0908d8b3e459551039bade50930e4c1b Intel::FILE_HASH Mandiant Apt1 Report T -09531f851ef74a7238685fd287a395bd Intel::FILE_HASH Mandiant Apt1 Report T -097b5abb53a3d84fa9eabda02fef9e91 Intel::FILE_HASH Mandiant Apt1 Report T -09d372e4259980ac95fdadf1846578d9 Intel::FILE_HASH Mandiant Apt1 Report T -0b506c6dde8d07f9eeb82fd01a6f97d4 Intel::FILE_HASH Mandiant Apt1 Report T -0b680e7bd5c0501d5dd73164122a7faf Intel::FILE_HASH Mandiant Apt1 Report T -0c28ad34f90950bc784339ec9f50d288 Intel::FILE_HASH Mandiant Apt1 Report T -0c5858f293aed44ea00eb9e0019609df Intel::FILE_HASH Mandiant Apt1 Report T -0c5e9f564115bfcbee66377a829de55f Intel::FILE_HASH Mandiant Apt1 Report T -0ca6e2ad69826c8e3287fc8576112814 Intel::FILE_HASH Mandiant Apt1 Report T -0cad42671e5771574df44a23b3634f32 Intel::FILE_HASH Mandiant Apt1 Report T -0ccfaeb11defb100b5ddb40057e8fce4 Intel::FILE_HASH Mandiant Apt1 Report T -0cf8259502d178a099ab2852e2bddbe1 Intel::FILE_HASH Mandiant Apt1 Report T -0cf9e999c574ec89595263446978dc9f Intel::FILE_HASH Mandiant Apt1 Report T -0d0240672a314a7547d328f824642da8 Intel::FILE_HASH Mandiant Apt1 Report T -0d678350f05b274844da5d79fee75324 Intel::FILE_HASH Mandiant Apt1 Report T -0dd3677594632ce270bcf8af94819caf Intel::FILE_HASH Mandiant Apt1 Report T -0df42947e167cd006b176d305c08d57e Intel::FILE_HASH Mandiant Apt1 Report T -0e84132e5ad04351b644b8d8743fc4d3 Intel::FILE_HASH Mandiant Apt1 Report T -0ec0fcd649f3d5aa2e19f110c0089164 Intel::FILE_HASH Mandiant Apt1 Report T -0f23d5b93c30681655d8a4258b8de129 Intel::FILE_HASH Mandiant Apt1 Report T -0fbdc6e3f79063a4773d4872fa1f15d1 Intel::FILE_HASH Mandiant Apt1 Report T -0fed203f3df6a82c9124f24aa3d9d75d Intel::FILE_HASH Mandiant Apt1 Report T -0ff20d023d6b54661d66fb3ce09afe3c Intel::FILE_HASH Mandiant Apt1 Report T -0ff48a336655869a74611236e6e2d249 Intel::FILE_HASH Mandiant Apt1 Report T -106338ad223b84fbc2528a55e3e22302 Intel::FILE_HASH Mandiant Apt1 Report T -1097ca5269dea866d5c9f2b0cc50af6d Intel::FILE_HASH Mandiant Apt1 Report T -10a38dd9598cc31efe664cfaa8f37bf1 Intel::FILE_HASH Mandiant Apt1 Report T -10a68e08c514d3b69296b0eb557d822c Intel::FILE_HASH Mandiant Apt1 Report T -10bb5a8ae053e335fe047cf38db95452 Intel::FILE_HASH Mandiant Apt1 Report T -11504971bb85cdacb8ef7d45e6e2aeb7 Intel::FILE_HASH Mandiant Apt1 Report T -11ccf3f93b00b01887e50283742cd1e6 Intel::FILE_HASH Mandiant Apt1 Report T -11d350127ff1e9ecd665c34326475584 Intel::FILE_HASH Mandiant Apt1 Report T -11dbecc954bf8a89d59407a992889cfd Intel::FILE_HASH Mandiant Apt1 Report T -11de4b1ab84bcb8dd28ef0ea4641f6d0 Intel::FILE_HASH Mandiant Apt1 Report T -120c2e085992ff59a21ba401ec29fec9 Intel::FILE_HASH Mandiant Apt1 Report T -1224527e295380dce1ac9953c850ce97 Intel::FILE_HASH Mandiant Apt1 Report T -123505024f9e5ff74cb6aa67d7fcc392 Intel::FILE_HASH Mandiant Apt1 Report T -125ebbc6f0c957ee994fcef1431a93f4 Intel::FILE_HASH Mandiant Apt1 Report T -129c6cd9d2aa895cf6fa137fa1d3a188 Intel::FILE_HASH Mandiant Apt1 Report T -12a410d82a1fc9a8c18b350872e0d465 Intel::FILE_HASH Mandiant Apt1 Report T -12f25ce81596aeb19e75cc7ef08f3a38 Intel::FILE_HASH Mandiant Apt1 Report T -1328eaceb140a3863951d18661b097af Intel::FILE_HASH Mandiant Apt1 Report T -13835f0d5aafbeda50560afc92c8b7b7 Intel::FILE_HASH Mandiant Apt1 Report T -13f0b56c28995e4efc8da784ad862853 Intel::FILE_HASH Mandiant Apt1 Report T -1415eb8519d13328091cc5c76a624e3d Intel::FILE_HASH Mandiant Apt1 Report T -1486f48948db4f9afaebd69c7c52f899 Intel::FILE_HASH Mandiant Apt1 Report T -150c4c1f589c4baa794160276a3d4aba Intel::FILE_HASH Mandiant Apt1 Report T -150c95865766c2dd0562e7bedb6db104 Intel::FILE_HASH Mandiant Apt1 Report T -15137b710414e4e8508ac5ab27e2cbaa Intel::FILE_HASH Mandiant Apt1 Report T -15244d2321faa3a271ff0b1e5a23148f Intel::FILE_HASH Mandiant Apt1 Report T -15901ddbccc5e9e0579fc5b42f754fe8 Intel::FILE_HASH Mandiant Apt1 Report T -15d1330be5e27f6f51d011b0575ffa05 Intel::FILE_HASH Mandiant Apt1 Report T -165ef79e7caa806f13f82cc2bbf3dedd Intel::FILE_HASH Mandiant Apt1 Report T -16e53c619803d0068611bb6d448d1d49 Intel::FILE_HASH Mandiant Apt1 Report T -17199ddac616938f383a0339f416c890 Intel::FILE_HASH Mandiant Apt1 Report T -173cd315008897e56fa812f2b2843f83 Intel::FILE_HASH Mandiant Apt1 Report T -177e0270f25a901c216ffb2e7a36e5b1 Intel::FILE_HASH Mandiant Apt1 Report T -17f5a2e0997b59449ca2120b20b5b7ce Intel::FILE_HASH Mandiant Apt1 Report T -17f6602f1c507b006b9d09eedcde0096 Intel::FILE_HASH Mandiant Apt1 Report T -1809c3cc93332d7bc0799238519a2938 Intel::FILE_HASH Mandiant Apt1 Report T -18316e6ebb356a66c8ff51e73c1bcc8a Intel::FILE_HASH Mandiant Apt1 Report T -18e5ef23b634344321b2b3f5fa80a598 Intel::FILE_HASH Mandiant Apt1 Report T -19fc27aeb48b3ce8d00eb2e76dfe2837 Intel::FILE_HASH Mandiant Apt1 Report T -1a0c7e61bcc50d57b7bcf9d9af691de5 Intel::FILE_HASH Mandiant Apt1 Report T -1ae2dadd85cd97452bb26b2c901d0890 Intel::FILE_HASH Mandiant Apt1 Report T -1aea4d24f3bd2c51288ad643fc66e0d2 Intel::FILE_HASH Mandiant Apt1 Report T -1b36190794516da078decaff881d9864 Intel::FILE_HASH Mandiant Apt1 Report T -1b7eed9d2438b494197e95fe57114f9b Intel::FILE_HASH Mandiant Apt1 Report T -1ba6fee7d4e73752b39a09b1396b69f0 Intel::FILE_HASH Mandiant Apt1 Report T -1baa7f5813e259c6346d1b02a1370d75 Intel::FILE_HASH Mandiant Apt1 Report T -1c16bd1488163c03cd506c2f71486a0f Intel::FILE_HASH Mandiant Apt1 Report T -1c7538951b21d93ef7ecf3fa94ae5c5e Intel::FILE_HASH Mandiant Apt1 Report T -1ca3ca9ec20474d07fc798f2b41e2625 Intel::FILE_HASH Mandiant Apt1 Report T -1ce4605e771a04e375e0d1083f183e8e Intel::FILE_HASH Mandiant Apt1 Report T -1e314c972075b8058099fd8759c11ce8 Intel::FILE_HASH Mandiant Apt1 Report T -1e48f6ba839d2c4794e23c10e5c4c138 Intel::FILE_HASH Mandiant Apt1 Report T -1e5ec6c06e4f6bb958dcbb9fc636009d Intel::FILE_HASH Mandiant Apt1 Report T -1ea61a0945bde3c6f41e12bc01928d37 Intel::FILE_HASH Mandiant Apt1 Report T -1ede2c69d50e0efbe23f758d902216e0 Intel::FILE_HASH Mandiant Apt1 Report T -1f2eb7b090018d975e6d9b40868c94ca Intel::FILE_HASH Mandiant Apt1 Report T -1f92ff8711716ca795fbd81c477e45f5 Intel::FILE_HASH Mandiant Apt1 Report T -1f9b32bac55ba4c015181ebf55767752 Intel::FILE_HASH Mandiant Apt1 Report T -1fad25d4fef631f8ec3115e0944e4621 Intel::FILE_HASH Mandiant Apt1 Report T -1fb4ce2e56ced51ddf1edff8ed15c21b Intel::FILE_HASH Mandiant Apt1 Report T -1fff3f96f53c5bbdd39eb2351f12549d Intel::FILE_HASH Mandiant Apt1 Report T -201fb83679a1fe05007fc6b8d6d96680 Intel::FILE_HASH Mandiant Apt1 Report T -2080f463388aebe6deb7edf11c01f7ff Intel::FILE_HASH Mandiant Apt1 Report T -20e2c8c7a98ddd4c16f6e878194c1e78 Intel::FILE_HASH Mandiant Apt1 Report T -212c724346400853d05a4440cabd716c Intel::FILE_HASH Mandiant Apt1 Report T -2156942db0293565c9420c1e254a2c32 Intel::FILE_HASH Mandiant Apt1 Report T -215df0c319b98dad4f202849b097f8b2 Intel::FILE_HASH Mandiant Apt1 Report T -2198fea94bb79b001fcfd3e03b269001 Intel::FILE_HASH Mandiant Apt1 Report T -2244c60f4c1dc285c259f3ac5bf88ff8 Intel::FILE_HASH Mandiant Apt1 Report T -225e33508861984dd2a774760bfdfc52 Intel::FILE_HASH Mandiant Apt1 Report T -2272791cadf422ce02a117a3a857f84e Intel::FILE_HASH Mandiant Apt1 Report T -22aa55134d621672e93c6de928c8b122 Intel::FILE_HASH Mandiant Apt1 Report T -22d9466d6aab8410bea006b5d3df8bd0 Intel::FILE_HASH Mandiant Apt1 Report T -23059de2797774bbdd9b21f979aaec51 Intel::FILE_HASH Mandiant Apt1 Report T -23e371b816bab10cd9cfc4a46154022c Intel::FILE_HASH Mandiant Apt1 Report T -24259ae8b0018b0ce9992fb1d9b69e2a Intel::FILE_HASH Mandiant Apt1 Report T -2479a9a50308cb72fcd5e4e18ef06468 Intel::FILE_HASH Mandiant Apt1 Report T -24c4ed0a6cc4e9671b72c104977fa215 Intel::FILE_HASH Mandiant Apt1 Report T -24f1b8266f4faf550999581bf0edac83 Intel::FILE_HASH Mandiant Apt1 Report T -24fefb8b9338e2300308260be19bbaab Intel::FILE_HASH Mandiant Apt1 Report T -251c817f4144264c3e7a9dac03071daf Intel::FILE_HASH Mandiant Apt1 Report T -255cd53f9bdb6f3755e621885cb34382 Intel::FILE_HASH Mandiant Apt1 Report T -257258344edad17f689b1c6d14833cbc Intel::FILE_HASH Mandiant Apt1 Report T -25f240aed433c4ea52ccdb898e43756f Intel::FILE_HASH Mandiant Apt1 Report T -2640cb47de607a8276c26e8a27f1150b Intel::FILE_HASH Mandiant Apt1 Report T -268988aa1df82ab073f527b5b6c8bff7 Intel::FILE_HASH Mandiant Apt1 Report T -268eef019bf65b2987e945afaf29643f Intel::FILE_HASH Mandiant Apt1 Report T -270d42f292105951ee81e4085ea45054 Intel::FILE_HASH Mandiant Apt1 Report T -2762fb36161086f7ef3f33232aa790dc Intel::FILE_HASH Mandiant Apt1 Report T -277964807a66aeeb6bd81dbfcaa3e4e6 Intel::FILE_HASH Mandiant Apt1 Report T -277f95bff2e0fe317f86b5010bd83a18 Intel::FILE_HASH Mandiant Apt1 Report T -286f48dda20e2ccc3250a6e09a130db1 Intel::FILE_HASH Mandiant Apt1 Report T -28dbd86bd86eb9153ecb20d883c41ae0 Intel::FILE_HASH Mandiant Apt1 Report T -28e64dfeab48030bc532ae4ace2c9e4c Intel::FILE_HASH Mandiant Apt1 Report T -2976a62c2a829a153a9b0b5f433bdc77 Intel::FILE_HASH Mandiant Apt1 Report T -29c691978af80dc23c4df96b5f6076bb Intel::FILE_HASH Mandiant Apt1 Report T -2a214ce037f5f6bb01ddc453f0265d92 Intel::FILE_HASH Mandiant Apt1 Report T -2a4604fcae876dee445de5ad74fd7835 Intel::FILE_HASH Mandiant Apt1 Report T -2a84b88c4a2ce0fb6227f7990f465737 Intel::FILE_HASH Mandiant Apt1 Report T -2acfc925e66e1b820a67c4d0f3e6ae8c Intel::FILE_HASH Mandiant Apt1 Report T -2af105519133baaee57c9ade00543de2 Intel::FILE_HASH Mandiant Apt1 Report T -2b379d5346ffd386c28038630a9b0292 Intel::FILE_HASH Mandiant Apt1 Report T -2b659d71ae168e774faaf38db30f4a84 Intel::FILE_HASH Mandiant Apt1 Report T -2b732257d8d9f09560fdcb7d84d430ca Intel::FILE_HASH Mandiant Apt1 Report T -2ba0d0083976a5c1e3315413cdcffcd2 Intel::FILE_HASH Mandiant Apt1 Report T -2bd02b41817d227058522cca40acd390 Intel::FILE_HASH Mandiant Apt1 Report T -2bdc196cdac4478ae325c94bab433732 Intel::FILE_HASH Mandiant Apt1 Report T -2c49f47c98203b110799ab622265f4ef Intel::FILE_HASH Mandiant Apt1 Report T -2c78d8bb5912d8174042f81197d9b449 Intel::FILE_HASH Mandiant Apt1 Report T -2c9c691e15a48b20dbead0a6d6bf0300 Intel::FILE_HASH Mandiant Apt1 Report T -2ca8ba14ff07ef8616372c53ee84d20e Intel::FILE_HASH Mandiant Apt1 Report T -2cdbeebcf4e0b6dbd24b8c7b4cd6d862 Intel::FILE_HASH Mandiant Apt1 Report T -2d08595e73de31a36c1187fcaac73bf0 Intel::FILE_HASH Mandiant Apt1 Report T -2d57aa4e7f2f4088f1b96313b24c7602 Intel::FILE_HASH Mandiant Apt1 Report T -2daa4a4574ba06aa3203ae0e0b45b3b8 Intel::FILE_HASH Mandiant Apt1 Report T -2dd892986b2249b5214639ecc8ac0223 Intel::FILE_HASH Mandiant Apt1 Report T -2e8484f59899046452392c236460ebb6 Intel::FILE_HASH Mandiant Apt1 Report T -2ef062fa86537db34f5907a9775664a1 Intel::FILE_HASH Mandiant Apt1 Report T -2f5979eaa728550a352c1ffee0b31236 Intel::FILE_HASH Mandiant Apt1 Report T -2f930d92dc5ebc9d53ad2a2b451ebf65 Intel::FILE_HASH Mandiant Apt1 Report T -2fae9efa753d3d821e1efdbc1335b966 Intel::FILE_HASH Mandiant Apt1 Report T -2fccaa39533de02490b1c6395878dd79 Intel::FILE_HASH Mandiant Apt1 Report T -30a7aa13b1f8d272cb36576952e8b6c0 Intel::FILE_HASH Mandiant Apt1 Report T -30b3b17eab05ecffaa055b5091aa66f9 Intel::FILE_HASH Mandiant Apt1 Report T -30e78d186b27d2023a2a7319bb679c3f Intel::FILE_HASH Mandiant Apt1 Report T -3107de21e480ab1f2d67725f419b28d0 Intel::FILE_HASH Mandiant Apt1 Report T -3120fc8630c5252002f26f6e11b09eca Intel::FILE_HASH Mandiant Apt1 Report T -3122fbb558e1a5f32c90eba31f674add Intel::FILE_HASH Mandiant Apt1 Report T -31b1d316b46c967c80fe7398a9e4cf41 Intel::FILE_HASH Mandiant Apt1 Report T -31e5e58dbdfad05175613e795298ebb5 Intel::FILE_HASH Mandiant Apt1 Report T -321d75c9990408db812e5a248a74f8c8 Intel::FILE_HASH Mandiant Apt1 Report T -328c3ebb2fd2e170483e8d51ccc6c505 Intel::FILE_HASH Mandiant Apt1 Report T -32c32e936cffa8ab370c7f3f2dd43d65 Intel::FILE_HASH Mandiant Apt1 Report T -335df3ffb8cee61c20ab91a401204df4 Intel::FILE_HASH Mandiant Apt1 Report T -3364813bcbd111fc5ec1e4265c533506 Intel::FILE_HASH Mandiant Apt1 Report T -338782d2df367156a2c7e12e9526c600 Intel::FILE_HASH Mandiant Apt1 Report T -33d974011c4b047bf9874a71ba261a11 Intel::FILE_HASH Mandiant Apt1 Report T -33de5067a433a6ec5c328067dc18ec37 Intel::FILE_HASH Mandiant Apt1 Report T -33e9ccd45ef133b2c100d5a4f50635d5 Intel::FILE_HASH Mandiant Apt1 Report T -341f5e7215826d07ada1ed2b96264c0d Intel::FILE_HASH Mandiant Apt1 Report T -342939e5fe4770c545659a6bf1e50df4 Intel::FILE_HASH Mandiant Apt1 Report T -3441cbdf8de9472c19b021b241429b22 Intel::FILE_HASH Mandiant Apt1 Report T -349f6cfb77bb360063c477e9b6ca24d6 Intel::FILE_HASH Mandiant Apt1 Report T -34ca3fbcaac48498aeff6035b172bf69 Intel::FILE_HASH Mandiant Apt1 Report T -34cebbb4d35a66a7a7fb1ce857c195c9 Intel::FILE_HASH Mandiant Apt1 Report T -35008d12dfa47447112495f430e4aefe Intel::FILE_HASH Mandiant Apt1 Report T -351afebaf03ef12e6ad1b412612d0c53 Intel::FILE_HASH Mandiant Apt1 Report T -35b9f05cf70017cc485af87660109dc8 Intel::FILE_HASH Mandiant Apt1 Report T -35f32431a069398d25efda2dafa32d93 Intel::FILE_HASH Mandiant Apt1 Report T -36a7c3a6460c98e161e1005c925da0b2 Intel::FILE_HASH Mandiant Apt1 Report T -36c0d3f109aede4d76b05431f8a64f9e Intel::FILE_HASH Mandiant Apt1 Report T -36cd49ad631e99125a3bb2786e405cea Intel::FILE_HASH Mandiant Apt1 Report T -36d5c8fc4b14559f73b6136d85b94198 Intel::FILE_HASH Mandiant Apt1 Report T -370c50aea66cc338b37801e1bd1c244f Intel::FILE_HASH Mandiant Apt1 Report T -37cf3f25895c27ca5e647bbfdc1d5b2d Intel::FILE_HASH Mandiant Apt1 Report T -37ddd3d72ead03c7518f5d47650c8572 Intel::FILE_HASH Mandiant Apt1 Report T -37df1896ba54e85ef549ccc1a88d34ab Intel::FILE_HASH Mandiant Apt1 Report T -37e7dc80c1eb618b3cd1b442858afa60 Intel::FILE_HASH Mandiant Apt1 Report T -37eee514b04167f8e17e2caa3bfd3049 Intel::FILE_HASH Mandiant Apt1 Report T -389f43a8af199da8da6b7c75b2c69595 Intel::FILE_HASH Mandiant Apt1 Report T -390d1f2a620912104f53c034c8aef14b Intel::FILE_HASH Mandiant Apt1 Report T -39e28f48c138dc156d1436fd02222e45 Intel::FILE_HASH Mandiant Apt1 Report T -3a3e4bca1197e4abab03340ea97d718d Intel::FILE_HASH Mandiant Apt1 Report T -3a45d4bfd1f919f167ce4a5e5ba00e15 Intel::FILE_HASH Mandiant Apt1 Report T -3a4cda1973cacd78740ff30774d6375e Intel::FILE_HASH Mandiant Apt1 Report T -3abe9c84fc13d0a82c1c3e0dced5825d Intel::FILE_HASH Mandiant Apt1 Report T -3b0829e2e966dae17d4c235893a3ae8a Intel::FILE_HASH Mandiant Apt1 Report T -3b1b190407b868406c5c155a79f3d146 Intel::FILE_HASH Mandiant Apt1 Report T -3b320b90e024bfa48bda72aa7a82322c Intel::FILE_HASH Mandiant Apt1 Report T -3c1b2fabb7d74bc5be0820eae4107f8a Intel::FILE_HASH Mandiant Apt1 Report T -3c4066b252722c873348d43b4c3ec0e5 Intel::FILE_HASH Mandiant Apt1 Report T -3cda17269c246a2e3bfcda6fa02fceb8 Intel::FILE_HASH Mandiant Apt1 Report T -3d0c1dc5ac55f6d0e6b7fabfeb5158f5 Intel::FILE_HASH Mandiant Apt1 Report T -3d328395d0cefc67e2909774125196b1 Intel::FILE_HASH Mandiant Apt1 Report T -3d573866620eae070a220be89e113f69 Intel::FILE_HASH Mandiant Apt1 Report T -3d61d23c2be95177937aa50769c0c512 Intel::FILE_HASH Mandiant Apt1 Report T -3d6fe3928f2f5ce41622f3f958b894a0 Intel::FILE_HASH Mandiant Apt1 Report T -3de1bd0f2107198931177b2b23877df4 Intel::FILE_HASH Mandiant Apt1 Report T -3de60420845a582b0e44081b1138a7e4 Intel::FILE_HASH Mandiant Apt1 Report T -3e12ffa5ad676a41754e2cc59e980e57 Intel::FILE_HASH Mandiant Apt1 Report T -3e32ab6a2eac5bd1cddd3146d1a1348b Intel::FILE_HASH Mandiant Apt1 Report T -3e3e6fe1a8c6ffc00a9c644997a4f7a1 Intel::FILE_HASH Mandiant Apt1 Report T -3e69945e5865ccc861f69b24bc1166b6 Intel::FILE_HASH Mandiant Apt1 Report T -3e6ed3ee47bce9946e2541332cb34c69 Intel::FILE_HASH Mandiant Apt1 Report T -3e72fd40e47e232496b303734f1b2b11 Intel::FILE_HASH Mandiant Apt1 Report T -3e87051b1dc3463f378c7e1fe398dc7d Intel::FILE_HASH Mandiant Apt1 Report T -3ea7bf3b469499f0f6d4a78af865138f Intel::FILE_HASH Mandiant Apt1 Report T -3f19992be3606c136b15041207daf6e4 Intel::FILE_HASH Mandiant Apt1 Report T -3f243b304358041fb163007e0c066d4a Intel::FILE_HASH Mandiant Apt1 Report T -3f33c0dab564c35485fd227d97b98443 Intel::FILE_HASH Mandiant Apt1 Report T -3f34e41d8ea034e6246ef6426bc91336 Intel::FILE_HASH Mandiant Apt1 Report T -3f8682ab074a097ebbaadbf26dfff560 Intel::FILE_HASH Mandiant Apt1 Report T -3fb8f4cdcb4d1d48be2e473fd8727239 Intel::FILE_HASH Mandiant Apt1 Report T -3fc26910f9c31bd9ba3ccb09132d9ca3 Intel::FILE_HASH Mandiant Apt1 Report T -40831b3799c94b609a91d517d14bea21 Intel::FILE_HASH Mandiant Apt1 Report T -40b1e9cf468f499d749c0863cfa6c8c1 Intel::FILE_HASH Mandiant Apt1 Report T -40ee45b1343406b6f7ad6204f1af7693 Intel::FILE_HASH Mandiant Apt1 Report T -4111fbc14558385c10091543c439264a Intel::FILE_HASH Mandiant Apt1 Report T -411d770b2939e968c692dbdd3116e179 Intel::FILE_HASH Mandiant Apt1 Report T -4192479b055b2b21cb7e6c803b765d34 Intel::FILE_HASH Mandiant Apt1 Report T -41a5d40ecc735172b18b61e01a30a178 Intel::FILE_HASH Mandiant Apt1 Report T -41bb847963a8fce70ad21e70dd786107 Intel::FILE_HASH Mandiant Apt1 Report T -41d623c1de3b0d182c51e56b2a3f3fba Intel::FILE_HASH Mandiant Apt1 Report T -420deefd91db5e177b46e4134441a35e Intel::FILE_HASH Mandiant Apt1 Report T -4227f2872817cfc74d134ee9f3d06d14 Intel::FILE_HASH Mandiant Apt1 Report T -42462d31a2e5b1e4602a1a4d39abeca9 Intel::FILE_HASH Mandiant Apt1 Report T -435991e0c67f0c0b4504355b6d4493f0 Intel::FILE_HASH Mandiant Apt1 Report T -438401c9ae36e9ed1bf4f410ae116484 Intel::FILE_HASH Mandiant Apt1 Report T -438983192903f3fecf77500a39459ee6 Intel::FILE_HASH Mandiant Apt1 Report T -43b844c35e1a933e9214588be81ce772 Intel::FILE_HASH Mandiant Apt1 Report T -44066f29aab6a9379f8dd30f6bec257d Intel::FILE_HASH Mandiant Apt1 Report T -456d298649a7ec31a7250ed9312ebbaf Intel::FILE_HASH Mandiant Apt1 Report T -45aa4177bb42eb3ded5edf397a4aaded Intel::FILE_HASH Mandiant Apt1 Report T -465b085d3ddd22f63d8f7721ce5736d7 Intel::FILE_HASH Mandiant Apt1 Report T -46817cabd6618d2126067430a78f06a3 Intel::FILE_HASH Mandiant Apt1 Report T -468ff2c12cffc7e5b2fe0ee6bb3b239e Intel::FILE_HASH Mandiant Apt1 Report T -46a86e3c12d5025aa78c7ddf46717c38 Intel::FILE_HASH Mandiant Apt1 Report T -46acae84a04e41730d0502d9080bbb4a Intel::FILE_HASH Mandiant Apt1 Report T -46c36c11238100e155f6d418332869ea Intel::FILE_HASH Mandiant Apt1 Report T -471005f73280264c48f769e1c21fbcc1 Intel::FILE_HASH Mandiant Apt1 Report T -4749f6336eb86b5fa7029661f88ded20 Intel::FILE_HASH Mandiant Apt1 Report T -476fea8761a03bef16e322996c2f6666 Intel::FILE_HASH Mandiant Apt1 Report T -4788960e489197f2633f581607eb0d26 Intel::FILE_HASH Mandiant Apt1 Report T -47e7f92419eb4b98ff4124c3ca11b738 Intel::FILE_HASH Mandiant Apt1 Report T -494637c4ac6d04bb50a681e87b81043f Intel::FILE_HASH Mandiant Apt1 Report T -494fca685834f3158d133f6b09cbb507 Intel::FILE_HASH Mandiant Apt1 Report T -4962cb3f255b2eaf48847c754d2a553d Intel::FILE_HASH Mandiant Apt1 Report T -496f04719a365f9718919002eff5748b Intel::FILE_HASH Mandiant Apt1 Report T -497f07f54a4c29fe3be1a15f4516e32d Intel::FILE_HASH Mandiant Apt1 Report T -49bacedcd18f6d8929d43a10dae8645f Intel::FILE_HASH Mandiant Apt1 Report T -4a2320b41a5216c741bf63fce562961a Intel::FILE_HASH Mandiant Apt1 Report T -4a54d7878d4170c3d4e3c3606365c42c Intel::FILE_HASH Mandiant Apt1 Report T -4aadab80ce16c588b8719f15e84aba82 Intel::FILE_HASH Mandiant Apt1 Report T -4ab62c8e525bee410cd4b6cfeea7d221 Intel::FILE_HASH Mandiant Apt1 Report T -4ad4258b73430fc3e843a2e59d8ee70a Intel::FILE_HASH Mandiant Apt1 Report T -4b19a2a6d40a5825e868c6ef25ae445e Intel::FILE_HASH Mandiant Apt1 Report T -4c6bddcca2695d6202df38708e14fc7e Intel::FILE_HASH Mandiant Apt1 Report T -4c858a80df0d6de5d69824c9502b65cf Intel::FILE_HASH Mandiant Apt1 Report T -4c9c9dbf388a8d81d8cfb4d3fc05f8e4 Intel::FILE_HASH Mandiant Apt1 Report T -4cabfaef26fd8e5aec01d0c4b90a32f3 Intel::FILE_HASH Mandiant Apt1 Report T -4cd3bed14aaffcf61f4d2948484c4c90 Intel::FILE_HASH Mandiant Apt1 Report T -4d21cc82e4031e1d6bb15541827b9e67 Intel::FILE_HASH Mandiant Apt1 Report T -4e1a92036a577a87a6fa36168d192c4b Intel::FILE_HASH Mandiant Apt1 Report T -4e3ddb5c27e45ee0e6dcc02e87b0abb5 Intel::FILE_HASH Mandiant Apt1 Report T -4e551abcd14506092a0f8d54a45f3569 Intel::FILE_HASH Mandiant Apt1 Report T -4f65bc571cdd9c9cd11e771e1db35a4c Intel::FILE_HASH Mandiant Apt1 Report T -4f763b07a7b8a80f1f9408e590f79532 Intel::FILE_HASH Mandiant Apt1 Report T -50361f8793258b6e883b31269e053ed2 Intel::FILE_HASH Mandiant Apt1 Report T -50a3aaaebae6cee7ecb150ac395276b9 Intel::FILE_HASH Mandiant Apt1 Report T -50f35b7c86aede891a72fcb85f06b0b7 Intel::FILE_HASH Mandiant Apt1 Report T -5100f0a34695c4c9dc7e915177041cad Intel::FILE_HASH Mandiant Apt1 Report T -51326bf40da5a5357a143dd9a6e6a11c Intel::FILE_HASH Mandiant Apt1 Report T -51ce169debea41314f591290839fd55f Intel::FILE_HASH Mandiant Apt1 Report T -522d32a505f78f09303e689999a3e461 Intel::FILE_HASH Mandiant Apt1 Report T -523cf1c9741f5f9d11388a58de6a83a4 Intel::FILE_HASH Mandiant Apt1 Report T -523f56515221161579ee6090c962e5b1 Intel::FILE_HASH Mandiant Apt1 Report T -52509abd1cc7b7fb391b19929e0d99c0 Intel::FILE_HASH Mandiant Apt1 Report T -52bd3ceef33900d53315f89538128026 Intel::FILE_HASH Mandiant Apt1 Report T -52cb7fed85bd7ff6797fbc70105a09fe Intel::FILE_HASH Mandiant Apt1 Report T -531a3b0acd95f55c3a7418d31f741357 Intel::FILE_HASH Mandiant Apt1 Report T -53600687ec97c297f03b4f0f4710d0c5 Intel::FILE_HASH Mandiant Apt1 Report T -53b263dd41838aa178a5ced338a207f3 Intel::FILE_HASH Mandiant Apt1 Report T -543c283d691939d99667e22bcb7be610 Intel::FILE_HASH Mandiant Apt1 Report T -543e03cc5872e9ed870b2d64363f518b Intel::FILE_HASH Mandiant Apt1 Report T -54d5d171a482278cc8eacf08d9175fd7 Intel::FILE_HASH Mandiant Apt1 Report T -5537bdce991797198a9ff97ff1492f90 Intel::FILE_HASH Mandiant Apt1 Report T -55886d571c2a57984ea9659b57e1c63a Intel::FILE_HASH Mandiant Apt1 Report T -55bd26326db3d512b6bd9f75d6671819 Intel::FILE_HASH Mandiant Apt1 Report T -55f60194833efcbc8ac16bd0a1cced1a Intel::FILE_HASH Mandiant Apt1 Report T -55fb1409170c91740359d1d96364f17b Intel::FILE_HASH Mandiant Apt1 Report T -5613e6d7111b327307c02bec1701ac3f Intel::FILE_HASH Mandiant Apt1 Report T -565b6fedccab184c92e40483ea49a25f Intel::FILE_HASH Mandiant Apt1 Report T -567395a3c720fcd09eb75b6c188b8687 Intel::FILE_HASH Mandiant Apt1 Report T -56892b0befe8b7a188fdb7e72a07e60f Intel::FILE_HASH Mandiant Apt1 Report T -56a5d0575c0c712deb16f465ac888a65 Intel::FILE_HASH Mandiant Apt1 Report T -56c26b175ae23d90244805a6ec347e42 Intel::FILE_HASH Mandiant Apt1 Report T -56c8ff5c6832f1e31a59e0717c3ab79c Intel::FILE_HASH Mandiant Apt1 Report T -56de2854ef64d869b5df7af5e4effe3e Intel::FILE_HASH Mandiant Apt1 Report T -56dff5cdfee293100b59096326fb0daf Intel::FILE_HASH Mandiant Apt1 Report T -57326cd78a56d26e349bbd4bcc5b9fa2 Intel::FILE_HASH Mandiant Apt1 Report T -575836ebb1b8849f04e994e9160370e4 Intel::FILE_HASH Mandiant Apt1 Report T -5790c7c09735cf1ccf10625c7cd87f5e Intel::FILE_HASH Mandiant Apt1 Report T -57cbf78c226265cc1e61ad86779bf906 Intel::FILE_HASH Mandiant Apt1 Report T -57cfef3e32e60df11b8d2c5375f3185c Intel::FILE_HASH Mandiant Apt1 Report T -57e79f7df13c0cb01910d0c688fcd296 Intel::FILE_HASH Mandiant Apt1 Report T -57f98d16ac439a11012860f88db21831 Intel::FILE_HASH Mandiant Apt1 Report T -580a4c05982accc678a72c366b45815d Intel::FILE_HASH Mandiant Apt1 Report T -585691777080b419b523938edd3ba2d6 Intel::FILE_HASH Mandiant Apt1 Report T -588c40520a3cea27d2b35cd1fa05e23f Intel::FILE_HASH Mandiant Apt1 Report T -58b020fd3bc0d34e8c4eaf0a3f3135af Intel::FILE_HASH Mandiant Apt1 Report T -592a33f691daa01ccbfc8078ad961b43 Intel::FILE_HASH Mandiant Apt1 Report T -59620925bf1c4f760c4bf225c7efd6c0 Intel::FILE_HASH Mandiant Apt1 Report T -5a032c13942a46c5ae015f53d9ce138a Intel::FILE_HASH Mandiant Apt1 Report T -5a3abb8053c271c58e879b3b9cf8c8f5 Intel::FILE_HASH Mandiant Apt1 Report T -5a728cb9ce56763dccb32b5298d0f050 Intel::FILE_HASH Mandiant Apt1 Report T -5aeaa53340a281074fcb539967438e3f Intel::FILE_HASH Mandiant Apt1 Report T -5bac505fdc202e1c6507ef381a881ed1 Intel::FILE_HASH Mandiant Apt1 Report T -5bcaa2f4bc7567f6ffd5507a161e221a Intel::FILE_HASH Mandiant Apt1 Report T -5bd5a22d42c04db7ac1343a2a9f471fe Intel::FILE_HASH Mandiant Apt1 Report T -5c4806b5859b35a3df03763e9c7ecbf6 Intel::FILE_HASH Mandiant Apt1 Report T -5c6f30cc369cd164d44941d381e282cc Intel::FILE_HASH Mandiant Apt1 Report T -5ccb52a8e3c31dde2ddbc486a2215e85 Intel::FILE_HASH Mandiant Apt1 Report T -5cd578614afb50b925008b68b3accdb9 Intel::FILE_HASH Mandiant Apt1 Report T -5cd7526fc7d849cbbf8c9d1ffe97a991 Intel::FILE_HASH Mandiant Apt1 Report T -5cf0959687427850a92d7f69edd41b86 Intel::FILE_HASH Mandiant Apt1 Report T -5d8129be965fab8115eca34fc84bd7f0 Intel::FILE_HASH Mandiant Apt1 Report T -5dea347d29a3e9c21c52385a10224b65 Intel::FILE_HASH Mandiant Apt1 Report T -5e17055c51724b0b89ff036d02f5208a Intel::FILE_HASH Mandiant Apt1 Report T -5e1d81618eaf005b8e0cd63fbc9a4937 Intel::FILE_HASH Mandiant Apt1 Report T -5e33a9835bced338cb1959c347ac6798 Intel::FILE_HASH Mandiant Apt1 Report T -5e42780f52763c77d592044e535e4b01 Intel::FILE_HASH Mandiant Apt1 Report T -5e686bd284022e35559a9c6118df8f1e Intel::FILE_HASH Mandiant Apt1 Report T -5f837bbfd3b458321070e2aebca4ec46 Intel::FILE_HASH Mandiant Apt1 Report T -5fa50476240c9c59cb72b345751434ce Intel::FILE_HASH Mandiant Apt1 Report T -5ff3269faca4a67d1a4c537154aaad4b Intel::FILE_HASH Mandiant Apt1 Report T -6040dd5b603483f738be6a02a63538f2 Intel::FILE_HASH Mandiant Apt1 Report T -605c1dc91a5c85024160ce78dfac842d Intel::FILE_HASH Mandiant Apt1 Report T -609d917a7f0c526b0d8091c8191da376 Intel::FILE_HASH Mandiant Apt1 Report T -611b1577ba976f76fc01368545bc395c Intel::FILE_HASH Mandiant Apt1 Report T -611c8f862864af818202865b78ad7ca8 Intel::FILE_HASH Mandiant Apt1 Report T -61daab56e07dfa3a236d8aec9eb80545 Intel::FILE_HASH Mandiant Apt1 Report T -61e0da42d5d084af24d31fbcef4ff409 Intel::FILE_HASH Mandiant Apt1 Report T -620c6a6cff832e35090487680123f52b Intel::FILE_HASH Mandiant Apt1 Report T -62a35021454e17f4a913e577d7ecd22f Intel::FILE_HASH Mandiant Apt1 Report T -62bee50b480f6a6aa427a00464baf376 Intel::FILE_HASH Mandiant Apt1 Report T -62c72767508e461cfe94b0c706e6d446 Intel::FILE_HASH Mandiant Apt1 Report T -62d60a1cd1e7ba73aebc98812e5ac266 Intel::FILE_HASH Mandiant Apt1 Report T -62ea10608f0d54cd284e8d7be32f206e Intel::FILE_HASH Mandiant Apt1 Report T -633cb95904ab9dc0a3de4ddd443494e8 Intel::FILE_HASH Mandiant Apt1 Report T -6377ec0c87f4ec1e7897751dd85d73d4 Intel::FILE_HASH Mandiant Apt1 Report T -63db2f4fd717723f0e6f94e0a6a62c7b Intel::FILE_HASH Mandiant Apt1 Report T -6461ea41f179e660c40ed65aee1a4a2d Intel::FILE_HASH Mandiant Apt1 Report T -648ce1c45927b24563dd8361a1b74311 Intel::FILE_HASH Mandiant Apt1 Report T -649d54bc9eef5a60a4b9d8b889fee139 Intel::FILE_HASH Mandiant Apt1 Report T -64fa1239f5aa9a9031e61533283f8c22 Intel::FILE_HASH Mandiant Apt1 Report T -65018cd542145a3792ba09985734c12a Intel::FILE_HASH Mandiant Apt1 Report T -650a6fca433ee243391e4b4c11f09438 Intel::FILE_HASH Mandiant Apt1 Report T -6510cee34da30c7ef5e5e39980402257 Intel::FILE_HASH Mandiant Apt1 Report T -651d83c1b85acb204abd5bf7990a1298 Intel::FILE_HASH Mandiant Apt1 Report T -656baf38fa5ee776e2576cead664d004 Intel::FILE_HASH Mandiant Apt1 Report T -6570163cd34454b3d1476c134d44b9d9 Intel::FILE_HASH Mandiant Apt1 Report T -6576c196385407b0f7f4b1b537d88983 Intel::FILE_HASH Mandiant Apt1 Report T -668b92feb7cbcc7ac75ff97dcec28d10 Intel::FILE_HASH Mandiant Apt1 Report T -66c287675cd4c7172590f71181e723a8 Intel::FILE_HASH Mandiant Apt1 Report T -67504a0c2c2bf47efccdab5ca981ad7d Intel::FILE_HASH Mandiant Apt1 Report T -6767eeb485232436de9553988765fb89 Intel::FILE_HASH Mandiant Apt1 Report T -67f62f5accfeacf5e828c3b3905248fe Intel::FILE_HASH Mandiant Apt1 Report T -6808ec6dbb23f0fa7637c108f44c5c80 Intel::FILE_HASH Mandiant Apt1 Report T -6846ad52c9208830ceaf4cfd81402015 Intel::FILE_HASH Mandiant Apt1 Report T -687a58dcbc076b04bef4ec6050310fb5 Intel::FILE_HASH Mandiant Apt1 Report T -689dcd40d5eae8c0d315265f3d90ffae Intel::FILE_HASH Mandiant Apt1 Report T -68af7be698e8a7408451c158c04a9712 Intel::FILE_HASH Mandiant Apt1 Report T -68c67a6e26855ebc2569d67689c69a6e Intel::FILE_HASH Mandiant Apt1 Report T -68d2fd5049e70942d164e4e25d13dd8e Intel::FILE_HASH Mandiant Apt1 Report T -68e5bff12ac33ecb98977afed51ebad0 Intel::FILE_HASH Mandiant Apt1 Report T -693f711d8fab66a3efca98a19a733d56 Intel::FILE_HASH Mandiant Apt1 Report T -698fbe7ed1ddd7f5c76b86fad3f7a485 Intel::FILE_HASH Mandiant Apt1 Report T -69dc1e1ee273e531e91c60eb86396cc8 Intel::FILE_HASH Mandiant Apt1 Report T -6a4fbcfb44717eae2145c761c1c99b6a Intel::FILE_HASH Mandiant Apt1 Report T -6a88f170ab6cb0f9b3252adc61b4f487 Intel::FILE_HASH Mandiant Apt1 Report T -6ab7fa8e5fb63b8d0723387d0a1ffe6d Intel::FILE_HASH Mandiant Apt1 Report T -6b3d19cc86d82b06f5db3ae9d5ba8a5f Intel::FILE_HASH Mandiant Apt1 Report T -6b4ac249f918be9f7bc64ae7fdda947e Intel::FILE_HASH Mandiant Apt1 Report T -6b6c4c0e2959df248be90d89899953a9 Intel::FILE_HASH Mandiant Apt1 Report T -6bf8f1f99ac5bba0db1b66518df378a4 Intel::FILE_HASH Mandiant Apt1 Report T -6bf9083f1567edce004bd1f7c456659d Intel::FILE_HASH Mandiant Apt1 Report T -6c5c5e4049265fffc87973f3e4978b26 Intel::FILE_HASH Mandiant Apt1 Report T -6c65c697bcff935484a5cd2e7dd2e7d2 Intel::FILE_HASH Mandiant Apt1 Report T -6c9c9e40683467f60b910d5bad5285ae Intel::FILE_HASH Mandiant Apt1 Report T -6ca59c9c4165796e08ba6ca3eeffdee6 Intel::FILE_HASH Mandiant Apt1 Report T -6d2320af561b2315c1241e3efd86067f Intel::FILE_HASH Mandiant Apt1 Report T -6db47757ba324bb61ce3cbcabbec52d4 Intel::FILE_HASH Mandiant Apt1 Report T -6deae79fc82df523ba99852266a33f9e Intel::FILE_HASH Mandiant Apt1 Report T -6e442c5ef460bee4c9457c6bf7a132d6 Intel::FILE_HASH Mandiant Apt1 Report T -6e8f302794cfaae731840e345063e652 Intel::FILE_HASH Mandiant Apt1 Report T -6e9bedcf80f21171adb951a0d85d2adb Intel::FILE_HASH Mandiant Apt1 Report T -6eb99bed5b5fcb3fdb26f37aff2c9adb Intel::FILE_HASH Mandiant Apt1 Report T -6ebbfa603aa4e90148ad0b726806c359 Intel::FILE_HASH Mandiant Apt1 Report T -6ebd05a02459d3b22a9d4a79b8626bf1 Intel::FILE_HASH Mandiant Apt1 Report T -6eebee2aebd5194db62cb8230502378c Intel::FILE_HASH Mandiant Apt1 Report T -6f4182baa5a57b717cb9d850dfadb60a Intel::FILE_HASH Mandiant Apt1 Report T -6f551594fdf3539c62389c0cf0d2e16a Intel::FILE_HASH Mandiant Apt1 Report T -6f6abd53e10567d1534514fc36fca2e9 Intel::FILE_HASH Mandiant Apt1 Report T -6f9992c486195edcf0bf2f6ee6c3ec74 Intel::FILE_HASH Mandiant Apt1 Report T -6faa4740f99408d4d2dddd0b09bbdefd Intel::FILE_HASH Mandiant Apt1 Report T -6fbf667e82c1477c4ce635b57b83bfa0 Intel::FILE_HASH Mandiant Apt1 Report T -6fdec862951e8b128cd7a07b2031eef6 Intel::FILE_HASH Mandiant Apt1 Report T -70a55fdc712c6e31e013e6b5d412b0d6 Intel::FILE_HASH Mandiant Apt1 Report T -70bb674fc97d7bf4d8dbbe3636f65c4a Intel::FILE_HASH Mandiant Apt1 Report T -70c10f8b4dcd01b07be6cfb4df0d3348 Intel::FILE_HASH Mandiant Apt1 Report T -70e2827ab4af1a38dc09a02fa95b82fe Intel::FILE_HASH Mandiant Apt1 Report T -71173ad2bc7b39342b1bdaadeaaa0d8a Intel::FILE_HASH Mandiant Apt1 Report T -7127241c033c403b18bd281d0dfc4e31 Intel::FILE_HASH Mandiant Apt1 Report T -71536d2e95420c55412c12dffea1a0a6 Intel::FILE_HASH Mandiant Apt1 Report T -7253de652a025b2b4fa7b02e97a1ee6b Intel::FILE_HASH Mandiant Apt1 Report T -727a6800991eead454e53e8af164a99c Intel::FILE_HASH Mandiant Apt1 Report T -7388d67561d0a7989202ad4d37eff24f Intel::FILE_HASH Mandiant Apt1 Report T -73a63c21a08b0ad2c69999e448f8e6a1 Intel::FILE_HASH Mandiant Apt1 Report T -73d125f84503bd87f8142cf2ba8ab05e Intel::FILE_HASH Mandiant Apt1 Report T -74b3ee9f3f6c52413db6e5c9ace34893 Intel::FILE_HASH Mandiant Apt1 Report T -75372eb37415140fa5464f1ebb8a0e74 Intel::FILE_HASH Mandiant Apt1 Report T -753ec12f61c2f7c9a5763c9063a16106 Intel::FILE_HASH Mandiant Apt1 Report T -759b320aca72ba446e7e156407ebc10d Intel::FILE_HASH Mandiant Apt1 Report T -75dad1ccabae8adeb5bae899d0c630f8 Intel::FILE_HASH Mandiant Apt1 Report T -75f37a69664362462ad491741a34f195 Intel::FILE_HASH Mandiant Apt1 Report T -75ff4bd6b209b6f10472c4cd22e3f9e6 Intel::FILE_HASH Mandiant Apt1 Report T -760339e927e391e289bd91bad4cd59c3 Intel::FILE_HASH Mandiant Apt1 Report T -769aeae232c6162cedcb6c7255640c4c Intel::FILE_HASH Mandiant Apt1 Report T -76ba06bac23a2c445cb982bf38b82199 Intel::FILE_HASH Mandiant Apt1 Report T -76bf44d7734ec8581e846a9f3005aed4 Intel::FILE_HASH Mandiant Apt1 Report T -76c1b246703a10cb6e71a3e5b7b55b24 Intel::FILE_HASH Mandiant Apt1 Report T -76f6c7301dbf0219eae991d65804292a Intel::FILE_HASH Mandiant Apt1 Report T -7704ad9e8e0e3d75075e4c294f698d53 Intel::FILE_HASH Mandiant Apt1 Report T -7712d05c8b499fc7a1f4a6a6b6dee825 Intel::FILE_HASH Mandiant Apt1 Report T -772c771e13e599cbf25bf9e0199681f7 Intel::FILE_HASH Mandiant Apt1 Report T -77382bb7fd431211b32d84d4de74b043 Intel::FILE_HASH Mandiant Apt1 Report T -775459afc5415984dfa2a0f533011763 Intel::FILE_HASH Mandiant Apt1 Report T -77afced93e20b1bb906796197fa1dd1d Intel::FILE_HASH Mandiant Apt1 Report T -77dc072fdd632c12bacc09ceb8e6ee39 Intel::FILE_HASH Mandiant Apt1 Report T -77fbfed235d6062212a3e43211a5706e Intel::FILE_HASH Mandiant Apt1 Report T -785003a405bc7a4ebcbb21ddb757bf3f Intel::FILE_HASH Mandiant Apt1 Report T -78524ba7f66c0ec4a3755e51709db1aa Intel::FILE_HASH Mandiant Apt1 Report T -7852b941a46e37fe9b332b1be77a6960 Intel::FILE_HASH Mandiant Apt1 Report T -79841c13f645118a600d19def3642d1a Intel::FILE_HASH Mandiant Apt1 Report T -79f3bac2826f8511c96240758af116b4 Intel::FILE_HASH Mandiant Apt1 Report T -7a2692cafec377c444bc3147fc43e57f Intel::FILE_HASH Mandiant Apt1 Report T -7a2eba5ca6f9b2cec61c5cc55dfca762 Intel::FILE_HASH Mandiant Apt1 Report T -7a660a9e48f6065333f388f2c0a67bd8 Intel::FILE_HASH Mandiant Apt1 Report T -7a670d13d4d014169c4080328b8feb86 Intel::FILE_HASH Mandiant Apt1 Report T -7a7a46e8fbc25a624d58e897dee04ffa Intel::FILE_HASH Mandiant Apt1 Report T -7ab86c938b960dfc0c4ffbadd4163666 Intel::FILE_HASH Mandiant Apt1 Report T -7acb0d1df51706536f33bbdb990041d3 Intel::FILE_HASH Mandiant Apt1 Report T -7aecb34616245eb6b2906358151be55b Intel::FILE_HASH Mandiant Apt1 Report T -7aef47f9fd84669976c4b152910a6328 Intel::FILE_HASH Mandiant Apt1 Report T -7af399ff99109a9501da73337c0bdf4b Intel::FILE_HASH Mandiant Apt1 Report T -7b3ce6c2af1acd119a25831fac670bab Intel::FILE_HASH Mandiant Apt1 Report T -7b42b35832855ab4ff37ae9b8fa9e571 Intel::FILE_HASH Mandiant Apt1 Report T -7b451bbbdc840378b785bed6b9e30e0f Intel::FILE_HASH Mandiant Apt1 Report T -7be6c90facbfe9ecf470fb27e6673fbc Intel::FILE_HASH Mandiant Apt1 Report T -7bfeb0eaa1c51513e60bc0abafb1be9f Intel::FILE_HASH Mandiant Apt1 Report T -7c82cd17b0fa420f09f97e060621ed7b Intel::FILE_HASH Mandiant Apt1 Report T -7cb055ac3acbf53e07e20b65ec9126a1 Intel::FILE_HASH Mandiant Apt1 Report T -7ce16b35201d8d35965ec7aeebdc80ff Intel::FILE_HASH Mandiant Apt1 Report T -7d0efb2480834a6a80210b7342d51154 Intel::FILE_HASH Mandiant Apt1 Report T -7d25a80fe2c42368adaea5fcbab866b6 Intel::FILE_HASH Mandiant Apt1 Report T -7d3140bd028f70f1fa865364b69c5999 Intel::FILE_HASH Mandiant Apt1 Report T -7deed54a40efc12ea03e3f1859522862 Intel::FILE_HASH Mandiant Apt1 Report T -7e56369d466dd3d85a9b31f65ee8e551 Intel::FILE_HASH Mandiant Apt1 Report T -7e64b28b0050d23970478c81e8037470 Intel::FILE_HASH Mandiant Apt1 Report T -7e8d1f26679a88268e273ab498e597f4 Intel::FILE_HASH Mandiant Apt1 Report T -7eedcd6d00b4f08b825b4c134b6d8f1a Intel::FILE_HASH Mandiant Apt1 Report T -7f1a4bc267ace340a5aa7a0b79cbf349 Intel::FILE_HASH Mandiant Apt1 Report T -7f26403f8e59a5f2728af2d3e0efaabb Intel::FILE_HASH Mandiant Apt1 Report T -7f398b00546c3a0946cd6142c308a556 Intel::FILE_HASH Mandiant Apt1 Report T -7fc52a32337386d867a952a2c8644353 Intel::FILE_HASH Mandiant Apt1 Report T -80856bd8ef7d5dbc3dc774f581855549 Intel::FILE_HASH Mandiant Apt1 Report T -80bca9f272152280a462f84f1588c0cc Intel::FILE_HASH Mandiant Apt1 Report T -8153b612499dbf432e2d9805b20ae783 Intel::FILE_HASH Mandiant Apt1 Report T -815a89041dea3e56348f8f5c8b7d1457 Intel::FILE_HASH Mandiant Apt1 Report T -81602ce95a4b7f3d3cd1953a2456cd92 Intel::FILE_HASH Mandiant Apt1 Report T -81b03cbcfc4b9d090cd8f5e5da816895 Intel::FILE_HASH Mandiant Apt1 Report T -81ce61ed2dc567ce70589386563890ca Intel::FILE_HASH Mandiant Apt1 Report T -82390e18379710df84d48881a1c1d0ed Intel::FILE_HASH Mandiant Apt1 Report T -827040a5f5ae8de281a63899224b2f3a Intel::FILE_HASH Mandiant Apt1 Report T -82b065518f085c6ceb0a9135ab51df41 Intel::FILE_HASH Mandiant Apt1 Report T -830a748959bdd1ad3b6a1f72aab6f063 Intel::FILE_HASH Mandiant Apt1 Report T -830e5cd6d590aa65dd3e2c1a01b42259 Intel::FILE_HASH Mandiant Apt1 Report T -831a67dc75e2d4505180888747bc8ea9 Intel::FILE_HASH Mandiant Apt1 Report T -8387adb5325035baa3fe3a2b0cb4921a Intel::FILE_HASH Mandiant Apt1 Report T -839c8c06c4d81f523078b0d45d8250ff Intel::FILE_HASH Mandiant Apt1 Report T -83b3711c32d28a87b173e7e5aba5f826 Intel::FILE_HASH Mandiant Apt1 Report T -8412a3e37499f8289faf54546824ab61 Intel::FILE_HASH Mandiant Apt1 Report T -8442ae37b91f279a9f06de4c60b286a3 Intel::FILE_HASH Mandiant Apt1 Report T -8454918f639a1b0719e00627f211d2ed Intel::FILE_HASH Mandiant Apt1 Report T -8462a62f13f92c34e4b89a7d13a185ad Intel::FILE_HASH Mandiant Apt1 Report T -855ca1b45a247754ad91d50827a2e16c Intel::FILE_HASH Mandiant Apt1 Report T -85c4081a97255ac7ca7d0d5554e86ec1 Intel::FILE_HASH Mandiant Apt1 Report T -85c828f5ea5d99e0c98017f6d6be243f Intel::FILE_HASH Mandiant Apt1 Report T -86a906db5686bbf487689937d15bf71a Intel::FILE_HASH Mandiant Apt1 Report T -86b1f3874bf741a3f9c0d74625af5f8d Intel::FILE_HASH Mandiant Apt1 Report T -86b68ad2e9c33eadf134285ea142ccc2 Intel::FILE_HASH Mandiant Apt1 Report T -86dd715a8d28788e68a575207d66df34 Intel::FILE_HASH Mandiant Apt1 Report T -871cc547feb9dbec0285321068e392b8 Intel::FILE_HASH Mandiant Apt1 Report T -8725870a43192cb0176c82012996910a Intel::FILE_HASH Mandiant Apt1 Report T -874bb818208655b59a8c4c1ae2aef379 Intel::FILE_HASH Mandiant Apt1 Report T -876ee736ebad6917a259456fc3a2f11b Intel::FILE_HASH Mandiant Apt1 Report T -87efe3671ef8f1eca57f2d8f7e4711d9 Intel::FILE_HASH Mandiant Apt1 Report T -8845cb5b4e450cb10a3b6ca41a9b4319 Intel::FILE_HASH Mandiant Apt1 Report T -88b5f635ac9031bcdeda1f751952f966 Intel::FILE_HASH Mandiant Apt1 Report T -88c7c50cd4130561d57a1d3b82c5b953 Intel::FILE_HASH Mandiant Apt1 Report T -88dbcc682635b4013bcba5ad28bb976b Intel::FILE_HASH Mandiant Apt1 Report T -8913ac72cdb8afd98bd8446896e1595a Intel::FILE_HASH Mandiant Apt1 Report T -89164a973ae081991a973aa9d5cdee7c Intel::FILE_HASH Mandiant Apt1 Report T -8934aeed5d213fe29e858eee616a6ec7 Intel::FILE_HASH Mandiant Apt1 Report T -898a8a43c8708961094944fb42c278ab Intel::FILE_HASH Mandiant Apt1 Report T -89a2802e2f2356ce6a757f833c3ba3ef Intel::FILE_HASH Mandiant Apt1 Report T -8a7764ded8467bd0fd0c30adc2acc1d4 Intel::FILE_HASH Mandiant Apt1 Report T -8a86df3d382bfd1e4c4165f4cacfdff8 Intel::FILE_HASH Mandiant Apt1 Report T -8b75bcbff174c25a0161f30758509a44 Intel::FILE_HASH Mandiant Apt1 Report T -8bf9698c18b2aa23f71444af2571a6ad Intel::FILE_HASH Mandiant Apt1 Report T -8c57b287a1d2140ccedd6cd097d62ded Intel::FILE_HASH Mandiant Apt1 Report T -8c6ece2ade2bfad3171c925baa64af50 Intel::FILE_HASH Mandiant Apt1 Report T -8c9871a9eb88ffc43507f988b222dc52 Intel::FILE_HASH Mandiant Apt1 Report T -8cb321a7871706fb6246489cb7c4da03 Intel::FILE_HASH Mandiant Apt1 Report T -8cda4e0ee20ddd00003caf7947af7fe4 Intel::FILE_HASH Mandiant Apt1 Report T -8d251ef81b1e2251601a7b2b0c03ec05 Intel::FILE_HASH Mandiant Apt1 Report T -8d81eeaeb0bd74a1faab257079452078 Intel::FILE_HASH Mandiant Apt1 Report T -8dc3561ca52bfe40089f3ee0af7fdd9d Intel::FILE_HASH Mandiant Apt1 Report T -8dfbf8a46d3a302fd420305918e9414d Intel::FILE_HASH Mandiant Apt1 Report T -8e1ec7e556b8c6612b6c34e310c50b66 Intel::FILE_HASH Mandiant Apt1 Report T -8e8622c393d7e832d39e620ead5d3b49 Intel::FILE_HASH Mandiant Apt1 Report T -8f3d20c983f9d82a8ff17466f45ee757 Intel::FILE_HASH Mandiant Apt1 Report T -8f4863b4dfb52d8362c031d3720a6d97 Intel::FILE_HASH Mandiant Apt1 Report T -8fc5fb519a222ab919f28d21545774c6 Intel::FILE_HASH Mandiant Apt1 Report T -8fdb15f3d5480de78c61ccef23722683 Intel::FILE_HASH Mandiant Apt1 Report T -91dc97c4b66e3282e1aa831e0bb0bb14 Intel::FILE_HASH Mandiant Apt1 Report T -91deceb64c795927c6ea07f695f67334 Intel::FILE_HASH Mandiant Apt1 Report T -91f538c08b9dee1bb0c6b6c82f727c5d Intel::FILE_HASH Mandiant Apt1 Report T -9206ae65b685dc7ea1cf1ec02606de6c Intel::FILE_HASH Mandiant Apt1 Report T -929802a27737cebc59d19da724fdf30a Intel::FILE_HASH Mandiant Apt1 Report T -933b11bc4799f8d9f65466fb2e3ea659 Intel::FILE_HASH Mandiant Apt1 Report T -9371fcd92ef86ccf450af903bc74ec01 Intel::FILE_HASH Mandiant Apt1 Report T -9400fb97c145587b17fb456fac636771 Intel::FILE_HASH Mandiant Apt1 Report T -94a59ce0fadf84f6efa10fe7d5ee3a03 Intel::FILE_HASH Mandiant Apt1 Report T -950234183528ce107d65b700be1bbbd3 Intel::FILE_HASH Mandiant Apt1 Report T -9548e5ed4fbacd0ed4a9d6a27f5d8fec Intel::FILE_HASH Mandiant Apt1 Report T -959c680c26f26e7f1dd61607942dc96a Intel::FILE_HASH Mandiant Apt1 Report T -95d85aa629a786bb67439a064c4349ec Intel::FILE_HASH Mandiant Apt1 Report T -95f25d3afc5370f5d9fd8e65c17d3599 Intel::FILE_HASH Mandiant Apt1 Report T -966db6a32ccf7e57394706abc3999189 Intel::FILE_HASH Mandiant Apt1 Report T -9675827a495f4ba6a4efd4dd70932b7c Intel::FILE_HASH Mandiant Apt1 Report T -973f4a238d6d19bdc7b42977b07b9cef Intel::FILE_HASH Mandiant Apt1 Report T -97c83d85bd76a38b13cea960a1a97f70 Intel::FILE_HASH Mandiant Apt1 Report T -98409dbf432419024dbf028c004344c1 Intel::FILE_HASH Mandiant Apt1 Report T -989b797c2a63fbfc8e1c6e8a8ccd6204 Intel::FILE_HASH Mandiant Apt1 Report T -98bddd6c789a883afa1de3524bb8ea8e Intel::FILE_HASH Mandiant Apt1 Report T -98cf219830733fb98fd2a957b7c4b163 Intel::FILE_HASH Mandiant Apt1 Report T -98d257a13d176940910d6441a854d7a4 Intel::FILE_HASH Mandiant Apt1 Report T -99882234b814b860a22b4d441b92fd82 Intel::FILE_HASH Mandiant Apt1 Report T -99a29ccea951a950040f3944abafed40 Intel::FILE_HASH Mandiant Apt1 Report T -99a39866a657a10949fcb6d634bb30d5 Intel::FILE_HASH Mandiant Apt1 Report T -99a7e4a01b813b9b26ba76bf0b484742 Intel::FILE_HASH Mandiant Apt1 Report T -9a58cc73e103fd5a14ef3564e35c03df Intel::FILE_HASH Mandiant Apt1 Report T -9a66fa24268d158341d497feecbed889 Intel::FILE_HASH Mandiant Apt1 Report T -9ad292de00b2175a80b5909fa173cdcd Intel::FILE_HASH Mandiant Apt1 Report T -9c03ab63a45d29aee90b72ae89f2f613 Intel::FILE_HASH Mandiant Apt1 Report T -9c36333385d351e59d6c4372d757479e Intel::FILE_HASH Mandiant Apt1 Report T -9cb07b71dcd1ac9dfdbf9f4cdfd4f273 Intel::FILE_HASH Mandiant Apt1 Report T -9d1d58e370bea4b5e79a1f914516cbc0 Intel::FILE_HASH Mandiant Apt1 Report T -9d5aabcda9106132d1e1b6cf6cae28aa Intel::FILE_HASH Mandiant Apt1 Report T -9d7499c3a01daba5c9b5090b079808ca Intel::FILE_HASH Mandiant Apt1 Report T -9d75897d9c0a5da7e95082ea5ae1f648 Intel::FILE_HASH Mandiant Apt1 Report T -9d85a2ae1e7971a49cb417d97797ac8a Intel::FILE_HASH Mandiant Apt1 Report T -9d8a7970be7826d29732817c0cc84bde Intel::FILE_HASH Mandiant Apt1 Report T -9d93fc89fb6e0a8142e837b2de045fdd Intel::FILE_HASH Mandiant Apt1 Report T -9dab4da07ed669b44f409eb60f3b0e50 Intel::FILE_HASH Mandiant Apt1 Report T -9df30198f52b16925db1e3da61cfc754 Intel::FILE_HASH Mandiant Apt1 Report T -9e30b1665077b7e65bc8ff1e7c752306 Intel::FILE_HASH Mandiant Apt1 Report T -9e511dc5ad8a884f4416e68c54f742e1 Intel::FILE_HASH Mandiant Apt1 Report T -9e860622fee66074dfe81dcfcc40c4e2 Intel::FILE_HASH Mandiant Apt1 Report T -9ea3c16194ce354c244c1b74c46cd92e Intel::FILE_HASH Mandiant Apt1 Report T -9ecf9d5d8872fe55ab120265c3749ffc Intel::FILE_HASH Mandiant Apt1 Report T -9f11bc08af048c5c3a110e567082fe0b Intel::FILE_HASH Mandiant Apt1 Report T -9f3fbec4341f246aa6131ab01d6e4234 Intel::FILE_HASH Mandiant Apt1 Report T -9fc3ed6c9b8056fbf155f79569ca7cb1 Intel::FILE_HASH Mandiant Apt1 Report T -a039a61e4c274811b0388aa517d29fbb Intel::FILE_HASH Mandiant Apt1 Report T -a1468ce16f2d17979cc1a61878c1c8c6 Intel::FILE_HASH Mandiant Apt1 Report T -a14e8df8bc55f7459d24fe526f51a16d Intel::FILE_HASH Mandiant Apt1 Report T -a17bb80ae02c8b003cf69222fa13f506 Intel::FILE_HASH Mandiant Apt1 Report T -a1b8aa19c92c257cbace54337f6672d3 Intel::FILE_HASH Mandiant Apt1 Report T -a1b924b8c8fa157ae8775fd86f692053 Intel::FILE_HASH Mandiant Apt1 Report T -a1cb8a9f2b8926afeb254a64f1d78ee3 Intel::FILE_HASH Mandiant Apt1 Report T -a24112e4b875038331d2672b6427763c Intel::FILE_HASH Mandiant Apt1 Report T -a241eec892637dec971bd925a40d3efb Intel::FILE_HASH Mandiant Apt1 Report T -a2534e9b7e4146368ea3245381830eb0 Intel::FILE_HASH Mandiant Apt1 Report T -a28ee614e3d783a7561cf8a5a469959f Intel::FILE_HASH Mandiant Apt1 Report T -a2cd1189860b9ba214421aab86ecbc8a Intel::FILE_HASH Mandiant Apt1 Report T -a2feee5e0ac3f825d4b7de7e0b95bb1f Intel::FILE_HASH Mandiant Apt1 Report T -a311516cdf06d3db4f49e67da5213ebe Intel::FILE_HASH Mandiant Apt1 Report T -a316d5aeca269ca865077e7fff356e7d Intel::FILE_HASH Mandiant Apt1 Report T -a34234a27157851300d9b698f6c56d9a Intel::FILE_HASH Mandiant Apt1 Report T -a354e3c566645100e757f3e43c9b007d Intel::FILE_HASH Mandiant Apt1 Report T -a360b16c19ab9dea6763f777257c5f38 Intel::FILE_HASH Mandiant Apt1 Report T -a38a367d6696ba90b2e778a5a4bf98fd Intel::FILE_HASH Mandiant Apt1 Report T -a40e20ff8b991308f508239625f275d8 Intel::FILE_HASH Mandiant Apt1 Report T -a4143ade719c2222d8602819a3e212ae Intel::FILE_HASH Mandiant Apt1 Report T -a44312eb63de002383a57b5a93271cdc Intel::FILE_HASH Mandiant Apt1 Report T -a4903f7c293993069f865468bd7cec78 Intel::FILE_HASH Mandiant Apt1 Report T -a4ad7335aa391519cc5fc9140f2562f2 Intel::FILE_HASH Mandiant Apt1 Report T -a510d0c9b7930abaa7aa6b0ac294e675 Intel::FILE_HASH Mandiant Apt1 Report T -a517ca12e2648b0590a5af565f8346b3 Intel::FILE_HASH Mandiant Apt1 Report T -a565682d8a13a5719977223e0d9c7aa4 Intel::FILE_HASH Mandiant Apt1 Report T -a5b581c0600815b1112ca2fed578928b Intel::FILE_HASH Mandiant Apt1 Report T -a5d4ebc0285f0213e0c29d23bc410889 Intel::FILE_HASH Mandiant Apt1 Report T -a6117891e42ee7db36253b57839c8b8f Intel::FILE_HASH Mandiant Apt1 Report T -a639f598d4c0b9aa7a4691d05f27d977 Intel::FILE_HASH Mandiant Apt1 Report T -a6725f263daf3e94adc3668751b909d0 Intel::FILE_HASH Mandiant Apt1 Report T -a6a583aeaf4952787e15f30d289ca138 Intel::FILE_HASH Mandiant Apt1 Report T -a6b99080565aa7933d946b8b9d9d7476 Intel::FILE_HASH Mandiant Apt1 Report T -a70aaf335f7f1a04c7fe194602b11c14 Intel::FILE_HASH Mandiant Apt1 Report T -a7117612ea6b6fa3307943f5ed21fbb4 Intel::FILE_HASH Mandiant Apt1 Report T -a7f17c75519fb8a39d37c47617202b05 Intel::FILE_HASH Mandiant Apt1 Report T -a807ad465b2fe5859c85626e97eaf907 Intel::FILE_HASH Mandiant Apt1 Report T -a810ab506857c933df2bea40ae0eb548 Intel::FILE_HASH Mandiant Apt1 Report T -a8b183fe32ad8d426e20227f3c8b7592 Intel::FILE_HASH Mandiant Apt1 Report T -a8b2ac446c614fd5d4880d95369deb3b Intel::FILE_HASH Mandiant Apt1 Report T -a8f259bb36e00d124963cfa9b86f502e Intel::FILE_HASH Mandiant Apt1 Report T -a96a6c91e71e243f00a64f53e2fd6415 Intel::FILE_HASH Mandiant Apt1 Report T -a9993969be3ea340d420eea5868c0d1d Intel::FILE_HASH Mandiant Apt1 Report T -a99e06e2f90db4e506ef1347a8774dd5 Intel::FILE_HASH Mandiant Apt1 Report T -aa4f1ecc4d25b33395196b5d51a06790 Intel::FILE_HASH Mandiant Apt1 Report T -ab00b38179851c8aa3f9bc80ed7baa23 Intel::FILE_HASH Mandiant Apt1 Report T -ab208f0b517ba9850f1551c9555b5313 Intel::FILE_HASH Mandiant Apt1 Report T -ab445da3ee4e81a84d644476f669d35c Intel::FILE_HASH Mandiant Apt1 Report T -abcaf816de63c632ec23d6bda3f02bb5 Intel::FILE_HASH Mandiant Apt1 Report T -abe6ab89f957f6edf8f41b5ad198e5e6 Intel::FILE_HASH Mandiant Apt1 Report T -abff707cb54a6e5a9fcbb3fef74dbddc Intel::FILE_HASH Mandiant Apt1 Report T -ac87816b9a371e72512d8fd82f61c737 Intel::FILE_HASH Mandiant Apt1 Report T -acb99e5318f7001298df1aef51a9463e Intel::FILE_HASH Mandiant Apt1 Report T -ace798670a64b38aa7d065c776b49f17 Intel::FILE_HASH Mandiant Apt1 Report T -ad3cccbe9ddff04b670d353b938f5da9 Intel::FILE_HASH Mandiant Apt1 Report T -ad7bdadde9a4da73ffc776c606dbb75e Intel::FILE_HASH Mandiant Apt1 Report T -ad8cde8841208ff226e04e8514dc699c Intel::FILE_HASH Mandiant Apt1 Report T -adb2fc194b960e694aa450161f1df6fc Intel::FILE_HASH Mandiant Apt1 Report T -adb62105427567ddc11124fc27921c40 Intel::FILE_HASH Mandiant Apt1 Report T -ae1dda87cc5998de79ecb68527bbd191 Intel::FILE_HASH Mandiant Apt1 Report T -af2745e8888f2ba17a9cf2e0779d3874 Intel::FILE_HASH Mandiant Apt1 Report T -af2f7b070245c90bd2a0a0845314173a Intel::FILE_HASH Mandiant Apt1 Report T -af719814507fdca4b96184f33b6b92ea Intel::FILE_HASH Mandiant Apt1 Report T -b0538781d47dde1e9a46a2610155c2d3 Intel::FILE_HASH Mandiant Apt1 Report T -b07322743778b5868475dbe66eedac4f Intel::FILE_HASH Mandiant Apt1 Report T -b0d4fbcc0c65c7d5ef7e1c4309c719cb Intel::FILE_HASH Mandiant Apt1 Report T -b145e4d19f5ecfaad45c795aee69c8dc Intel::FILE_HASH Mandiant Apt1 Report T -b1838a6c341260fbdaf288795cc63900 Intel::FILE_HASH Mandiant Apt1 Report T -b1912db011633d98bc40ac568a4167a7 Intel::FILE_HASH Mandiant Apt1 Report T -b1ee00cec6c2318fa86f320dd7fc99a8 Intel::FILE_HASH Mandiant Apt1 Report T -b1ff1ef983a1aee3a395788ec441d006 Intel::FILE_HASH Mandiant Apt1 Report T -b2599b3078c28a278a3e7cd8b46304da Intel::FILE_HASH Mandiant Apt1 Report T -b305b543da332a2fcf6e1ce55ed2ea79 Intel::FILE_HASH Mandiant Apt1 Report T -b36168ea438520875c621f5603db003f Intel::FILE_HASH Mandiant Apt1 Report T -b3848edbabfbce246a9faf5466e743bf Intel::FILE_HASH Mandiant Apt1 Report T -b3af1381f69e36b72e5b272f06aa1fa2 Intel::FILE_HASH Mandiant Apt1 Report T -b3bc979d8de3be09728c5de1a0297c4b Intel::FILE_HASH Mandiant Apt1 Report T -b3defdbd173738d44137f88a571647e1 Intel::FILE_HASH Mandiant Apt1 Report T -b43266a047b2895399f4883cfe37c089 Intel::FILE_HASH Mandiant Apt1 Report T -b47e5d095be9fd61016817359f6c2887 Intel::FILE_HASH Mandiant Apt1 Report T -b54f58c484f56c704858ccfffbb9d535 Intel::FILE_HASH Mandiant Apt1 Report T -b5a430a0696b5b25ae6b4fa5cbfe3333 Intel::FILE_HASH Mandiant Apt1 Report T -b5e9ce72771217680efaeecfafe3da3f Intel::FILE_HASH Mandiant Apt1 Report T -b631a3d832f7c22c26554711188f59c3 Intel::FILE_HASH Mandiant Apt1 Report T -b63452ecd2da62f30923a124bcd41b45 Intel::FILE_HASH Mandiant Apt1 Report T -b661f78279ca0b2e0ae611013eb00f20 Intel::FILE_HASH Mandiant Apt1 Report T -b6f2f483e03b9399f055a1ba5e0713a4 Intel::FILE_HASH Mandiant Apt1 Report T -b74022a7b9b63fdc541ae0848b28a962 Intel::FILE_HASH Mandiant Apt1 Report T -b743f6af7e307221ba425d6023ebe42c Intel::FILE_HASH Mandiant Apt1 Report T -b7dba6184f07b1e824362a2307d91ae2 Intel::FILE_HASH Mandiant Apt1 Report T -b8277cce81e0a372bc35d33a0c9483c2 Intel::FILE_HASH Mandiant Apt1 Report T -b86e89a42a1c1bc6ea15096c68e38ba4 Intel::FILE_HASH Mandiant Apt1 Report T -b883f8e5a1420d1f511266b9253c11c4 Intel::FILE_HASH Mandiant Apt1 Report T -b8dfe540bef505cd1adbd5f8ff31d028 Intel::FILE_HASH Mandiant Apt1 Report T -b8f61242e28f2edf6cb1be8781438491 Intel::FILE_HASH Mandiant Apt1 Report T -b92db06d17d3bf906c47a0384e771076 Intel::FILE_HASH Mandiant Apt1 Report T -b9b3673a721578b230490f7dfc6df21e Intel::FILE_HASH Mandiant Apt1 Report T -ba0c4d3dbf07d407211b5828405a9b91 Intel::FILE_HASH Mandiant Apt1 Report T -ba10b9486043f76bb9e9a160bc1d2576 Intel::FILE_HASH Mandiant Apt1 Report T -ba56035e10b423734e0ce01bb7bb8b6d Intel::FILE_HASH Mandiant Apt1 Report T -ba773e1608198cf8337c5902d7930710 Intel::FILE_HASH Mandiant Apt1 Report T -baabd9b76bff84ed27fd432cfc6df241 Intel::FILE_HASH Mandiant Apt1 Report T -bac2e89bd92ce23e1e93a63d26dea01a Intel::FILE_HASH Mandiant Apt1 Report T -bb286e9969ca197b461286b679c0886e Intel::FILE_HASH Mandiant Apt1 Report T -bc7092008ca37adf497b75eb98e2e175 Intel::FILE_HASH Mandiant Apt1 Report T -bc723e4f93a3bf85f4d1e1910393d1a3 Intel::FILE_HASH Mandiant Apt1 Report T -bc756bb6bf4e7b2058e8dce6ba8b1a79 Intel::FILE_HASH Mandiant Apt1 Report T -bca9bd0abbb31a422458abf521a6a2fb Intel::FILE_HASH Mandiant Apt1 Report T -bcb087f69792b69494a3edad51a842bb Intel::FILE_HASH Mandiant Apt1 Report T -bcbdef1678049378be04719ed29078d2 Intel::FILE_HASH Mandiant Apt1 Report T -bcdf8cb0868daaec3ba6176e3e7d3cfc Intel::FILE_HASH Mandiant Apt1 Report T -bce4b77a4e4acc70a3f6f52ec0a2f033 Intel::FILE_HASH Mandiant Apt1 Report T -bd15714360c12ffca4c3c1e86fc69d0e Intel::FILE_HASH Mandiant Apt1 Report T -bd402e910e03b70f00685d8b8be5093c Intel::FILE_HASH Mandiant Apt1 Report T -bd8b082b7711bc980252f988bb0ca936 Intel::FILE_HASH Mandiant Apt1 Report T -bdc5e16aec2c3796fb879a5c260d6ca9 Intel::FILE_HASH Mandiant Apt1 Report T -bdd2ad4c0e1e5667d117810ae9e36c4b Intel::FILE_HASH Mandiant Apt1 Report T -be58ff564c854be419a19a030af25c86 Intel::FILE_HASH Mandiant Apt1 Report T -be74bf5afd4ba64cc8ce237307e9254d Intel::FILE_HASH Mandiant Apt1 Report T -bebbbc50a561681f48d174d6b7c2824e Intel::FILE_HASH Mandiant Apt1 Report T -bee9b7835a02973678e9ead683da1ac4 Intel::FILE_HASH Mandiant Apt1 Report T -bf0d5aff9c1f33e089c9c85f03c6ba8a Intel::FILE_HASH Mandiant Apt1 Report T -bf0ee4367ea32f8e3b911c304258e439 Intel::FILE_HASH Mandiant Apt1 Report T -bf80dbf969b73790253f683cd723fd71 Intel::FILE_HASH Mandiant Apt1 Report T -bf9aeefc53d97bb23d35d47986504cef Intel::FILE_HASH Mandiant Apt1 Report T -bfcae0468de0c7bcf92e9989589082f1 Intel::FILE_HASH Mandiant Apt1 Report T -c0134285a276ab933e2a2b9b33b103cd Intel::FILE_HASH Mandiant Apt1 Report T -c044715c2626ab515f6c85a21c47c7dd Intel::FILE_HASH Mandiant Apt1 Report T -c04c796ef126ad7429be7d55720fe392 Intel::FILE_HASH Mandiant Apt1 Report T -c0a33a1b472a8c16123fd696a5ce5ebb Intel::FILE_HASH Mandiant Apt1 Report T -c0a494e643c42a89d5bf718ea274df04 Intel::FILE_HASH Mandiant Apt1 Report T -c110f08399c5dca64d7dc4539eb82083 Intel::FILE_HASH Mandiant Apt1 Report T -c116f5f89e24c7de3ea9cae83b7fc829 Intel::FILE_HASH Mandiant Apt1 Report T -c1bd23ece59e36143d80f7eec0e38c52 Intel::FILE_HASH Mandiant Apt1 Report T -c21591aa72ac72872f5bd05bbca5e4da Intel::FILE_HASH Mandiant Apt1 Report T -c2a79bb15a31fd6584d9bf0891673d14 Intel::FILE_HASH Mandiant Apt1 Report T -c2e06531a2e6de3c1b7d18b14af53fdf Intel::FILE_HASH Mandiant Apt1 Report T -c2fa9f567fd34fb14fee6a38b6644ff9 Intel::FILE_HASH Mandiant Apt1 Report T -c307bad133cc160a0129fda4c57e0f52 Intel::FILE_HASH Mandiant Apt1 Report T -c30c7fa2eb06fc8c9ebbe955abe26edd Intel::FILE_HASH Mandiant Apt1 Report T -c39bc83c16f9db8a7c43a966048bca7b Intel::FILE_HASH Mandiant Apt1 Report T -c39e272e9ea15d61e0c8e6b749a1ad46 Intel::FILE_HASH Mandiant Apt1 Report T -c3af09a9fc487314eb4c9fe92a01845a Intel::FILE_HASH Mandiant Apt1 Report T -c3dbd79adfa21706f5451cc68331d31e Intel::FILE_HASH Mandiant Apt1 Report T -c3de028cbc5aa0934008d95689d5f334 Intel::FILE_HASH Mandiant Apt1 Report T -c3e5603a38e700274d1ab30ce93d08b9 Intel::FILE_HASH Mandiant Apt1 Report T -c4188c3bb6982d41aa783c499113a8e3 Intel::FILE_HASH Mandiant Apt1 Report T -c41e44045cebebfba234063de8fd7c4d Intel::FILE_HASH Mandiant Apt1 Report T -c425b8782075da33cba5aae5ad612582 Intel::FILE_HASH Mandiant Apt1 Report T -c4c638750526e28f68d6d71fd1266bdf Intel::FILE_HASH Mandiant Apt1 Report T -c4f144febf16ff8f36df15353d5347ce Intel::FILE_HASH Mandiant Apt1 Report T -c53332a5bf112f03ed22b06d85140626 Intel::FILE_HASH Mandiant Apt1 Report T -c65617a4eedb8e0369ef8fe58ce20a02 Intel::FILE_HASH Mandiant Apt1 Report T -c69a708a2a8e4581dd95f90da3833840 Intel::FILE_HASH Mandiant Apt1 Report T -c6a29993234488fcbdcf45668eac9c47 Intel::FILE_HASH Mandiant Apt1 Report T -c6a4bb1a4e4f69ec71855d70d6960859 Intel::FILE_HASH Mandiant Apt1 Report T -c72edb12880a9af12b439a7a2d0584c1 Intel::FILE_HASH Mandiant Apt1 Report T -c763e041c8e85c195ade90e120338be7 Intel::FILE_HASH Mandiant Apt1 Report T -c799e1d25839e1efb2b3d42d6d6efd26 Intel::FILE_HASH Mandiant Apt1 Report T -c7b48b6965642b504f6f36933762df8a Intel::FILE_HASH Mandiant Apt1 Report T -c8d2b7f92fff545b3b19e9b1e1057071 Intel::FILE_HASH Mandiant Apt1 Report T -c9172b3e83c782bc930c06b628f31fa5 Intel::FILE_HASH Mandiant Apt1 Report T -c91eacab7655870764d13ba741aa9a73 Intel::FILE_HASH Mandiant Apt1 Report T -c99fa835350aa9e2427ce69323b061a9 Intel::FILE_HASH Mandiant Apt1 Report T -c9f77569aa98f71cc42644d66d9f371c Intel::FILE_HASH Mandiant Apt1 Report T -ca27a87928443e21dc279008008018ba Intel::FILE_HASH Mandiant Apt1 Report T -ca327bc83fbe38b3689cd1a5505dfc33 Intel::FILE_HASH Mandiant Apt1 Report T -ca68ccc887cfe5d2194f6a4d3101ae66 Intel::FILE_HASH Mandiant Apt1 Report T -ca6fe7a1315af5afeac2961460a80569 Intel::FILE_HASH Mandiant Apt1 Report T -ca899eda2c32e7d305272dd48bc8e1e1 Intel::FILE_HASH Mandiant Apt1 Report T -ca9c1f8d709ed34d388dc7cba2bd7602 Intel::FILE_HASH Mandiant Apt1 Report T -caf33d1e15953c0e782846e1709498f6 Intel::FILE_HASH Mandiant Apt1 Report T -cb15768a3e5c86d22289dcefec56d8a2 Intel::FILE_HASH Mandiant Apt1 Report T -cb3a9d7505be48019e242fbccc7e5f6b Intel::FILE_HASH Mandiant Apt1 Report T -cb3c5c3f53ecb2cb656fb0f4b8de03f6 Intel::FILE_HASH Mandiant Apt1 Report T -cc0b9bf4ea738d63f06bfe411460412b Intel::FILE_HASH Mandiant Apt1 Report T -cc17fe9f2d254ad28d050bf5c1df983d Intel::FILE_HASH Mandiant Apt1 Report T -cc3a9a7b026bfe0e55ff219fd6aa7d94 Intel::FILE_HASH Mandiant Apt1 Report T -cc7c8aba24c66373502ba5934696b7b6 Intel::FILE_HASH Mandiant Apt1 Report T -cca290cd2abe96392378b71e9835ce06 Intel::FILE_HASH Mandiant Apt1 Report T -ccfb7a84bb87cc8f86ddd260ad38ed5b Intel::FILE_HASH Mandiant Apt1 Report T -cd2102c5db1ed828a9c196448c40af3e Intel::FILE_HASH Mandiant Apt1 Report T -cd4674e2b7be30121a46a053205472a8 Intel::FILE_HASH Mandiant Apt1 Report T -cd677f9ede43b4b86b421db249c0e020 Intel::FILE_HASH Mandiant Apt1 Report T -cd6c1dbf08d8864b382678284ef13358 Intel::FILE_HASH Mandiant Apt1 Report T -ce003a75c85627cbc7e6eb39beff0722 Intel::FILE_HASH Mandiant Apt1 Report T -cf038194f0fe222f31ec24cb80941bb1 Intel::FILE_HASH Mandiant Apt1 Report T -cf9c2d5a8fbdd1c5adc20cfc5e663c21 Intel::FILE_HASH Mandiant Apt1 Report T -cfc6112254a69030521d0d2bba152d4d Intel::FILE_HASH Mandiant Apt1 Report T -cfce9478c880934b3548c3022a956e14 Intel::FILE_HASH Mandiant Apt1 Report T -cfe738fcc07b9ece6a11c3390d43b5df Intel::FILE_HASH Mandiant Apt1 Report T -d0d5a20c5a6c4fddab4d43b85632b6a9 Intel::FILE_HASH Mandiant Apt1 Report T -d0fb18b1e1f642f595a4746826350c21 Intel::FILE_HASH Mandiant Apt1 Report T -d16947b200afa74a917f055597b772c0 Intel::FILE_HASH Mandiant Apt1 Report T -d197c388184fef263b7944a7186bc6db Intel::FILE_HASH Mandiant Apt1 Report T -d1a18c7de189170c588e7128ec3f8453 Intel::FILE_HASH Mandiant Apt1 Report T -d20f0fbd001fd30610c3317fd3c6f7c0 Intel::FILE_HASH Mandiant Apt1 Report T -d22863c5e6f098a4b52688b021beef0a Intel::FILE_HASH Mandiant Apt1 Report T -d25be76b6d871a26eec08ad1bee0273d Intel::FILE_HASH Mandiant Apt1 Report T -d262cb8267beb0e218f6d11d6af9052e Intel::FILE_HASH Mandiant Apt1 Report T -d263fed2e1c18f2cb439afcef0cd1b45 Intel::FILE_HASH Mandiant Apt1 Report T -d271ae0f4e9230af3b61eafe7f671fde Intel::FILE_HASH Mandiant Apt1 Report T -d2c616bf238fc18f9ea0a1643bd2d4bc Intel::FILE_HASH Mandiant Apt1 Report T -d2f1be7e10ed39aa8bc0f7f671d824d2 Intel::FILE_HASH Mandiant Apt1 Report T -d3358ed4001ec0366fa23fe82759df2a Intel::FILE_HASH Mandiant Apt1 Report T -d34e357461c55d90c52309c1ff952b4c Intel::FILE_HASH Mandiant Apt1 Report T -d3f9d4bc51db1e602093e3003fc789d9 Intel::FILE_HASH Mandiant Apt1 Report T -d41c6005a75a6d28480d63f540d36c70 Intel::FILE_HASH Mandiant Apt1 Report T -d47b04327157fb188c0e81886e346c48 Intel::FILE_HASH Mandiant Apt1 Report T -d4ba6430996fb4021241efc97c607504 Intel::FILE_HASH Mandiant Apt1 Report T -d4c1bfc5cd3e33643a562696d5d29bf2 Intel::FILE_HASH Mandiant Apt1 Report T -d4c7f1f80883412f9796f1270accff50 Intel::FILE_HASH Mandiant Apt1 Report T -d5e56f7da9d2a78e49d3d0685e9613ca Intel::FILE_HASH Mandiant Apt1 Report T -d5fd1ce9189cd54f157d691e317c0821 Intel::FILE_HASH Mandiant Apt1 Report T -d60ee4a39667a733c075bb7f7b36285a Intel::FILE_HASH Mandiant Apt1 Report T -d62cd4ad2a919b6acfa6d49d446dffdb Intel::FILE_HASH Mandiant Apt1 Report T -d6a01b61f490488d61dfb9376186d844 Intel::FILE_HASH Mandiant Apt1 Report T -d74b169e98dd16d0f3af0dc770dffac0 Intel::FILE_HASH Mandiant Apt1 Report T -d751c7f7d2eab52c43ab31312e229307 Intel::FILE_HASH Mandiant Apt1 Report T -d76ea982d614c66c5faa36ab5fdd8b41 Intel::FILE_HASH Mandiant Apt1 Report T -d776379bda9fdf695d6a54db8a5b4c72 Intel::FILE_HASH Mandiant Apt1 Report T -d7796209412da17b2ee2ccf2309b4abf Intel::FILE_HASH Mandiant Apt1 Report T -d7aa32b7465f55c368230bb52d52d885 Intel::FILE_HASH Mandiant Apt1 Report T -d802a0c3e0c3dcac43877bd488f2b042 Intel::FILE_HASH Mandiant Apt1 Report T -d8238e950608e5aba3d3e9e83e9ee2cc Intel::FILE_HASH Mandiant Apt1 Report T -d8315c114107b7418c32f85e263766b7 Intel::FILE_HASH Mandiant Apt1 Report T -d8b7b276710127d233abcdb7313aac36 Intel::FILE_HASH Mandiant Apt1 Report T -d8fdd9cfca25315635378dd2564094ca Intel::FILE_HASH Mandiant Apt1 Report T -d915f1c6792eed61dddb30e512e6c202 Intel::FILE_HASH Mandiant Apt1 Report T -d9b1c95fb4424cf69a0ac8e40b3ab39b Intel::FILE_HASH Mandiant Apt1 Report T -d9c4ebd61c1aee52b3597aae048a592f Intel::FILE_HASH Mandiant Apt1 Report T -d9fb6620e4402764bbf2088de02898ca Intel::FILE_HASH Mandiant Apt1 Report T -d9fbf759f527af373e34673dc3aca462 Intel::FILE_HASH Mandiant Apt1 Report T -da383cc098a5ea8fbb87643611e4bfb6 Intel::FILE_HASH Mandiant Apt1 Report T -da52e6701c9eba92459c6be28efdba74 Intel::FILE_HASH Mandiant Apt1 Report T -da5ff7927d608d7ccc7495939d457bd3 Intel::FILE_HASH Mandiant Apt1 Report T -da60673b4f2a4660d2734a16a832282f Intel::FILE_HASH Mandiant Apt1 Report T -da6b0ee7ec735029d1ff4fa863a71de8 Intel::FILE_HASH Mandiant Apt1 Report T -db05df0498b59b42a8e493cf3c10c578 Intel::FILE_HASH Mandiant Apt1 Report T -db2580f5675f04716481b24bb7af468e Intel::FILE_HASH Mandiant Apt1 Report T -db50416d9e67f4982e89e0ffb0ade6f3 Intel::FILE_HASH Mandiant Apt1 Report T -db5805604f84b7303fa04feb18ce8271 Intel::FILE_HASH Mandiant Apt1 Report T -dba356a4726b94731e6ea97aa73cfc3f Intel::FILE_HASH Mandiant Apt1 Report T -dbdd2a9c86e71ba0c9953ff4f89cc25b Intel::FILE_HASH Mandiant Apt1 Report T -dc059121677ec7a038589cda28cbcc49 Intel::FILE_HASH Mandiant Apt1 Report T -dc1cff84900afc9d292b305f9b9aae34 Intel::FILE_HASH Mandiant Apt1 Report T -dc373f011e86d5528ca4824bb287c406 Intel::FILE_HASH Mandiant Apt1 Report T -dc78fd49b7f39fa3bb06b927e8413dd0 Intel::FILE_HASH Mandiant Apt1 Report T -dcb90efe7e09d6900242af25aeca7b73 Intel::FILE_HASH Mandiant Apt1 Report T -dd1222f96024ac28179c7508e4193285 Intel::FILE_HASH Mandiant Apt1 Report T -dd1bede0e42d26fd2439a6e48547023c Intel::FILE_HASH Mandiant Apt1 Report T -dd21d1ea2146861a4219b1cbdaefe59b Intel::FILE_HASH Mandiant Apt1 Report T -ddf3db31f9fa21cd43ff19dde393aba8 Intel::FILE_HASH Mandiant Apt1 Report T -de016572ade175d37cfbfabe8174391a Intel::FILE_HASH Mandiant Apt1 Report T -df4da15796910690b05e393561b86fa1 Intel::FILE_HASH Mandiant Apt1 Report T -df5c89d49ef8997c9b5abd8f808298c8 Intel::FILE_HASH Mandiant Apt1 Report T -dff4d874b2bfc64a4d1805959c379074 Intel::FILE_HASH Mandiant Apt1 Report T -dffd04ea26c03d3f6c67e10405abc5ad Intel::FILE_HASH Mandiant Apt1 Report T -e06145fccac413d8c753bc822619945c Intel::FILE_HASH Mandiant Apt1 Report T -e0c4cbf3ed293e8a8df3f3987b42caac Intel::FILE_HASH Mandiant Apt1 Report T -e0fc0fae758d7c6091cdb11d5ef98e0e Intel::FILE_HASH Mandiant Apt1 Report T -e1b6940985a23e5639450f8391820655 Intel::FILE_HASH Mandiant Apt1 Report T -e22f2e9ee73ab8b12ee5069f7e39a615 Intel::FILE_HASH Mandiant Apt1 Report T -e24e889e826df04f552e0d133548b693 Intel::FILE_HASH Mandiant Apt1 Report T -e43040ede0645a38ea5a35c26192126f Intel::FILE_HASH Mandiant Apt1 Report T -e476e4a24f8b4ff4c8a0b260aa35fc9f Intel::FILE_HASH Mandiant Apt1 Report T -e480c8839e819eaa9b19d53acfa95052 Intel::FILE_HASH Mandiant Apt1 Report T -e4a9b8993e55e3d0ba355b13d1f27a2e Intel::FILE_HASH Mandiant Apt1 Report T -e4be1e46775081b1d5405b3dd7dd1c64 Intel::FILE_HASH Mandiant Apt1 Report T -e50af782414228e52e59bcbe518b1966 Intel::FILE_HASH Mandiant Apt1 Report T -e5237615fde0977c0ea3626fba609ab8 Intel::FILE_HASH Mandiant Apt1 Report T -e54ce5f0112c9fdfe86db17e85a5e2c5 Intel::FILE_HASH Mandiant Apt1 Report T -e55f7d80d99b6aacb0c8d9ed46856d25 Intel::FILE_HASH Mandiant Apt1 Report T -e56e4b20ef6dc09d29be49481bd29561 Intel::FILE_HASH Mandiant Apt1 Report T -e649f31f7f3a7b15ce1290e8d096c058 Intel::FILE_HASH Mandiant Apt1 Report T -e64d657ce32118b415fa91dc05037c4c Intel::FILE_HASH Mandiant Apt1 Report T -e65c0b3f4dd2f3c9f728077ed1e48f7e Intel::FILE_HASH Mandiant Apt1 Report T -e65db662e449cab03a6c1ac51af41360 Intel::FILE_HASH Mandiant Apt1 Report T -e689b1fb0610b752f42adafc403fa49f Intel::FILE_HASH Mandiant Apt1 Report T -e6c25f9994b723d39c785ddfd38a31b8 Intel::FILE_HASH Mandiant Apt1 Report T -e6ff0431a9a9028808efc582405ea7df Intel::FILE_HASH Mandiant Apt1 Report T -e7f728e3bce0e59c3ba973545a3b3a92 Intel::FILE_HASH Mandiant Apt1 Report T -e83f60fb0e0396ea309faf0aed64e53f Intel::FILE_HASH Mandiant Apt1 Report T -e9df2f69ed3d9c895ad9d399eaff1bc8 Intel::FILE_HASH Mandiant Apt1 Report T -ea1b44094ae4d8e2b63a1771a3e61fd5 Intel::FILE_HASH Mandiant Apt1 Report T -ea3155748f9788b741b6799691250579 Intel::FILE_HASH Mandiant Apt1 Report T -ea34b72cbeb07aaac2398704c3ca6b0f Intel::FILE_HASH Mandiant Apt1 Report T -ea47431d832faff7802710dae0abb0d3 Intel::FILE_HASH Mandiant Apt1 Report T -ea502cd3504e74bac454835bd23e019b Intel::FILE_HASH Mandiant Apt1 Report T -ea7309fa59e9347a0715f164edf6b200 Intel::FILE_HASH Mandiant Apt1 Report T -ea7aeea782173eb19ef880c6a54456f2 Intel::FILE_HASH Mandiant Apt1 Report T -ea8b6c2c083d6b7b2b6ebc015b0488ca Intel::FILE_HASH Mandiant Apt1 Report T -eb0c8b05ee6a4334f45968cf45656597 Intel::FILE_HASH Mandiant Apt1 Report T -eb50c166074ae4f13cfea362dc7b668a Intel::FILE_HASH Mandiant Apt1 Report T -eb61cedc9793226a66e4611e6ea25d7f Intel::FILE_HASH Mandiant Apt1 Report T -ebf8eebe3aa218dea5e3f0b2222267b0 Intel::FILE_HASH Mandiant Apt1 Report T -ec09d3b72b282872db4afb0cc9ba7d9d Intel::FILE_HASH Mandiant Apt1 Report T -ec3a2197ca6b63ee1454d99a6ae145ab Intel::FILE_HASH Mandiant Apt1 Report T -ec63f49236858c85168da81c1ac7802a Intel::FILE_HASH Mandiant Apt1 Report T -ec82a53f44511ac09e916bde02cddef0 Intel::FILE_HASH Mandiant Apt1 Report T -ec8aa67b05407c01094184c33d2b5a44 Intel::FILE_HASH Mandiant Apt1 Report T -ec8c89aa5e521572c74e2dd02a4daf78 Intel::FILE_HASH Mandiant Apt1 Report T -eca18e3872fd32f17410167871fbd1d2 Intel::FILE_HASH Mandiant Apt1 Report T -ecf18654e4a2668fb8b2e3db144809af Intel::FILE_HASH Mandiant Apt1 Report T -ecf900c9d743631b59442240ac4ce9da Intel::FILE_HASH Mandiant Apt1 Report T -edb4faeee6542572aff2ec1b6affbd28 Intel::FILE_HASH Mandiant Apt1 Report T -eef298d0bc5b8c89f582e48556d77b6a Intel::FILE_HASH Mandiant Apt1 Report T -eef80511aa490b2168ed4c9fa5eafef0 Intel::FILE_HASH Mandiant Apt1 Report T -eefa8d6c9a26dcc13604b11bbe5635c1 Intel::FILE_HASH Mandiant Apt1 Report T -ef0a6c79f99a537f932a5e64999972b3 Intel::FILE_HASH Mandiant Apt1 Report T -ef29229f7b633f634db3a5c49a3f4a1c Intel::FILE_HASH Mandiant Apt1 Report T -ef349196b0ffef5a02d30413c8dffc7c Intel::FILE_HASH Mandiant Apt1 Report T -ef6c375e3e6930e2b50e1e97fe6fbcc9 Intel::FILE_HASH Mandiant Apt1 Report T -ef8e0fb20e7228c7492ccdc59d87c690 Intel::FILE_HASH Mandiant Apt1 Report T -efc2025431e7ec8f8784fe81389c77cf Intel::FILE_HASH Mandiant Apt1 Report T -effa99ea879e5be518f242d5820be070 Intel::FILE_HASH Mandiant Apt1 Report T -f02abd537e481109142b6170933d1b3d Intel::FILE_HASH Mandiant Apt1 Report T -f07ac0b4301fccbae233a44e07a2a634 Intel::FILE_HASH Mandiant Apt1 Report T -f0bab119faa296c680a10ba81693915e Intel::FILE_HASH Mandiant Apt1 Report T -f0d2ad2002557a86ecc780bf938b6dfd Intel::FILE_HASH Mandiant Apt1 Report T -f113e1c754679164b0e137449b7631cc Intel::FILE_HASH Mandiant Apt1 Report T -f172ff6b65140f342e6ee51966ea3c4c Intel::FILE_HASH Mandiant Apt1 Report T -f1ad5daacace5d4a7b18a03132ec2716 Intel::FILE_HASH Mandiant Apt1 Report T -f1db65d3c48ad5a9d1576aefdca036d1 Intel::FILE_HASH Mandiant Apt1 Report T -f1e5d9bf7705b4dc5be0b8a90b73a863 Intel::FILE_HASH Mandiant Apt1 Report T -f1eea61e49a3f86e95836d1c9f67e074 Intel::FILE_HASH Mandiant Apt1 Report T -f2009007bd6718582ad62ad29b742f6b Intel::FILE_HASH Mandiant Apt1 Report T -f2693de8b687c20aca98bfc1c5aa5b38 Intel::FILE_HASH Mandiant Apt1 Report T -f3611c5c793f521f7ff2a69c22d4174e Intel::FILE_HASH Mandiant Apt1 Report T -f38e76417c0f87322d55062428283e58 Intel::FILE_HASH Mandiant Apt1 Report T -f3b54c188185ee0921848b3a6ad4751e Intel::FILE_HASH Mandiant Apt1 Report T -f3f2881a1cf3f81f1ecd952ccb616504 Intel::FILE_HASH Mandiant Apt1 Report T -f445b22897a27ac5852ee19589bea8c2 Intel::FILE_HASH Mandiant Apt1 Report T -f4bea18e9d38ab9fa7c1cf6eea2bdc79 Intel::FILE_HASH Mandiant Apt1 Report T -f4ed3b7a8a58453052db4b5be3707342 Intel::FILE_HASH Mandiant Apt1 Report T -f4f8067d501bfef385274912d2a833b5 Intel::FILE_HASH Mandiant Apt1 Report T -f627990bbe2ec5c48c180f724490c332 Intel::FILE_HASH Mandiant Apt1 Report T -f6549d4a4097bac446acf8b31d250d2e Intel::FILE_HASH Mandiant Apt1 Report T -f65eee78ac150924cd37c7f1f3c96518 Intel::FILE_HASH Mandiant Apt1 Report T -f6655e39465c2ff5b016980d918ea028 Intel::FILE_HASH Mandiant Apt1 Report T -f67357d9fa1c3014050f2feefd39c784 Intel::FILE_HASH Mandiant Apt1 Report T -f7c63592ffb87b81ce45c89d207e9403 Intel::FILE_HASH Mandiant Apt1 Report T -f7f85d7f628ce62d1d8f7b39d8940472 Intel::FILE_HASH Mandiant Apt1 Report T -f802b6e448c054c9c16b97ff85646825 Intel::FILE_HASH Mandiant Apt1 Report T -f81991fab3b7d58d66629e26d21176ed Intel::FILE_HASH Mandiant Apt1 Report T -f8437e44748d2c3fcf84019766f4e6dc Intel::FILE_HASH Mandiant Apt1 Report T -f8892c6dacbf7ac756abb361e48bbc82 Intel::FILE_HASH Mandiant Apt1 Report T -f904ea9bc8e2d7ce13a6007183da5957 Intel::FILE_HASH Mandiant Apt1 Report T -f9a46d5024c05a827912a89ca270c553 Intel::FILE_HASH Mandiant Apt1 Report T -f9ed623f13481da16a97aeacdca646dc Intel::FILE_HASH Mandiant Apt1 Report T -fa11cb78f53db2d2718d536d4bd20b85 Intel::FILE_HASH Mandiant Apt1 Report T -fa66312d7e2ed95814f30871cae61d7c Intel::FILE_HASH Mandiant Apt1 Report T -fab6b0b33d59f393e142000f128a9652 Intel::FILE_HASH Mandiant Apt1 Report T -fab7c555a511f4d4e318817455bbb75a Intel::FILE_HASH Mandiant Apt1 Report T -fad92f849e3bbfab211af339eb6a8d66 Intel::FILE_HASH Mandiant Apt1 Report T -fade2270a6c7cb47893ac600a9a0509f Intel::FILE_HASH Mandiant Apt1 Report T -fae6eaf695af058af4b8dfee0709bf51 Intel::FILE_HASH Mandiant Apt1 Report T -fb671e6de6e301c892d2fdaa58f9cd9a Intel::FILE_HASH Mandiant Apt1 Report T -fbde5068f85ce0aac2e9ff387b5f8c06 Intel::FILE_HASH Mandiant Apt1 Report T -fc1937c1aa536b3744ebdfb1716fd54d Intel::FILE_HASH Mandiant Apt1 Report T -fc50743af221ccbff7b7c7ec378117f4 Intel::FILE_HASH Mandiant Apt1 Report T -fc89424a2d33ea5af3f49b02e743773b Intel::FILE_HASH Mandiant Apt1 Report T -fc9d20d555a88fc827f3a2bfec4dfa36 Intel::FILE_HASH Mandiant Apt1 Report T -fcdaa67e33357f64bc4ce7b57491fc53 Intel::FILE_HASH Mandiant Apt1 Report T -fd37fa026747059559197461aa7c63e6 Intel::FILE_HASH Mandiant Apt1 Report T -fdef1329ae626656c8389f82c4f9ad38 Intel::FILE_HASH Mandiant Apt1 Report T -fe5ba680a96757ff232d4bad9c0db2b8 Intel::FILE_HASH Mandiant Apt1 Report T -fe8ff84a23feb673a59d8571575fee0b Intel::FILE_HASH Mandiant Apt1 Report T -feb406ff01d9fd5abc5ea079e0543e31 Intel::FILE_HASH Mandiant Apt1 Report T -fefa3638e4d6f2e00b5194ae3fa0c931 Intel::FILE_HASH Mandiant Apt1 Report T -ff085d421518772ce2df75282363279f Intel::FILE_HASH Mandiant Apt1 Report T -ff9aa093a37819af65a06046ea0c830c Intel::FILE_HASH Mandiant Apt1 Report T -ffcc7271e951055f12b61f520ce1e4c7 Intel::FILE_HASH Mandiant Apt1 Report T diff --git a/salt/deprecated-bro/policy/securityonion/bpfconf.bro b/salt/deprecated-bro/policy/securityonion/bpfconf.bro deleted file mode 100644 index 595aef8f2..000000000 --- a/salt/deprecated-bro/policy/securityonion/bpfconf.bro +++ /dev/null @@ -1,106 +0,0 @@ -##! This script is to support the bpf.conf file like other network monitoring tools use. -##! Please don't try to learn from this script right now, there are a large number of -##! hacks in it to work around bugs discovered in Bro. - -@load base/frameworks/notice - -module BPFConf; - -export { - ## The file that is watched on disk for BPF filter changes. - ## Two templated variables are available; "sensorname" and "interface". - ## They can be used by surrounding the term by doubled curly braces. - const filename = "/opt/bro/share/bro/site/bpf" &redef; - - redef enum Notice::Type += { - ## Invalid filter notice. - InvalidFilter - }; -} - -global filter_parts: vector of string = vector(); -global current_filter_filename = ""; - -type FilterLine: record { - s: string; -}; - -redef enum PcapFilterID += { - BPFConfPcapFilter, -}; - -event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string) - { - local part = sub(s, /[[:blank:]]*#.*$/, ""); - - # We don't want any blank parts. - if ( part != "" ) - filter_parts[|filter_parts|] = part; - } - -event Input::end_of_data(name: string, source:string) - { - if ( name == "bpfconf" ) - { - local filter = join_string_vec(filter_parts, " "); - capture_filters["bpf.conf"] = filter; - if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) ) - { - PacketFilter::install(); - } - else - { - NOTICE([$note=InvalidFilter, - $msg=fmt("Compiling packet filter from %s failed", filename), - $sub=filter]); - } - - filter_parts=vector(); - } - } - - -function add_filter_file() - { - local real_filter_filename = BPFConf::filename; - - # Support the interface template value. - #if ( SecurityOnion::sensorname != "" ) - # real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname); - - # Support the interface template value. - #if ( SecurityOnion::interface != "" ) - # real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface); - - #if ( /\{\{/ in real_filter_filename ) - # { - # return; - # } - #else - # Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node)); - - if ( real_filter_filename != current_filter_filename ) - { - current_filter_filename = real_filter_filename; - Input::add_event([$source=real_filter_filename, - $name="bpfconf", - $reader=Input::READER_RAW, - $mode=Input::REREAD, - $want_record=F, - $fields=FilterLine, - $ev=BPFConf::line]); - } - } - -#event SecurityOnion::found_sensorname(name: string) -# { -# add_filter_file(); -# } - -event bro_init() &priority=5 - { - if ( BPFConf::filename != "" ) - add_filter_file(); - } - - diff --git a/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro b/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro deleted file mode 100644 index 0fbe50297..000000000 --- a/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro +++ /dev/null @@ -1,10 +0,0 @@ -global sensorname = "{{ grains.host }}"; - -redef record Conn::Info += { - sensorname: string &log &optional; -}; - -event connection_state_remove(c: connection) - { - c$conn$sensorname = sensorname; - } diff --git a/salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro b/salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro deleted file mode 100644 index b2707c803..000000000 --- a/salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load ./extract diff --git a/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro b/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro deleted file mode 100644 index 7f0f1c902..000000000 --- a/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro +++ /dev/null @@ -1,21 +0,0 @@ -global ext_map: table[string] of string = { - ["application/x-dosexec"] = "exe", - ["text/plain"] = "txt", - ["image/jpeg"] = "jpg", - ["image/png"] = "png", - ["text/html"] = "html", -} &default =""; - -event file_sniff(f: fa_file, meta: fa_metadata) - { - if ( ! meta?$mime_type || meta$mime_type != "application/x-dosexec" ) - return; - - local ext = ""; - - if ( meta?$mime_type ) - ext = ext_map[meta$mime_type]; - - local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext); - Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } diff --git a/salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro b/salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro deleted file mode 100644 index 780208248..000000000 --- a/salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro +++ /dev/null @@ -1,3 +0,0 @@ -@load tuning/json-logs -redef LogAscii::json_timestamps = JSON::TS_ISO8601; -redef LogAscii::use_json = T; diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls index 01e673764..8d329c785 100644 --- a/salt/domainstats/init.sls +++ b/salt/domainstats/init.sls @@ -13,6 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} + # Create the group dstatsgroup: group.present: @@ -37,13 +39,13 @@ dstatslogdir: so-domainstatsimage: cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3 + - name: docker pull --disable-content-trust=false docker.io/{{ IMAGEREPO }}/so-domainstats:HH1.0.3 so-domainstats: docker_container.running: - require: - so-domainstatsimage - - image: docker.io/soshybridhunter/so-domainstats:HH1.0.3 + - image: docker.io/{{ IMAGEREPO }}/so-domainstats:HH1.0.3 - hostname: domainstats - name: so-domainstats - user: domainstats diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml index 2ecf08ffa..7646e8221 100644 --- a/salt/elastalert/files/elastalert_config.yaml +++ b/salt/elastalert/files/elastalert_config.yaml @@ -1,5 +1,5 @@ -{% set esip = salt['pillar.get']('master:mainip', '') %} -{% set esport = salt['pillar.get']('master:es_port', '') %} +{% set esip = salt['pillar.get']('manager:mainip', '') %} +{% set esport = salt['pillar.get']('manager:es_port', '') %} # This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule rules_folder: /opt/elastalert/rules/ @@ -86,3 +86,25 @@ alert_time_limit: index_settings: shards: 1 replicas: 0 + +logging: + version: 1 + incremental: false + disable_existing_loggers: false + formatters: + logline: + format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s' + + handlers: + file: + class : logging.FileHandler + formatter: logline + level: INFO + filename: /var/log/elastalert/elastalert.log + + loggers: + '': + level: INFO + handlers: + - file + propagate: false diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index 0ba3f3601..c794bdf12 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- -from datetime import date +from time import gmtime, strftime import requests,json from elastalert.alerts import Alerter @@ -13,11 +13,12 @@ class PlaybookESAlerter(Alerter): def alert(self, matches): for match in matches: + today = strftime("%Y.%m.%d", gmtime()) + timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S", gmtime()) headers = {"Content-Type": "application/json"} - payload = {"play_title": self.rule['play_title'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"data": match} - today = str(date.today()) - url = f"http://{self.rule['elasticsearch_host']}/playbook-alerts-{today}/_doc/" + payload = {"rule.name": self.rule['play_title'],"event.severity": self.rule['event.severity'],"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"event.module": self.rule['event.module'],"event.dataset": self.rule['event.dataset'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"rule.category": self.rule['rule.category'],"data": match, "@timestamp": timestamp} + url = f"http://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/" requests.post(url, data=json.dumps(payload), headers=headers, verify=False) def get_info(self): - return {'type': 'PlaybookESAlerter'} + return {'type': 'PlaybookESAlerter'} \ No newline at end of file diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml deleted file mode 100644 index 097511d56..000000000 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} -{% set hivekey = salt['pillar.get']('static:hivekey', '') %} -{% set MASTER = salt['pillar.get']('master:url_base', '') %} - -# hive.yaml -# Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance. -# -es_host: {{es}} -es_port: 9200 -name: NIDS-Alert -type: frequency -index: "so-ids-*" -num_events: 1 -timeframe: - minutes: 10 -buffer_time: - minutes: 10 -allow_buffer_time_overlap: true -query_key: ["rule.uuid"] -realert: - days: 1 -filter: -- query: - query_string: - query: "event.module: suricata" - -alert: hivealerter - -hive_connection: - hive_host: http://{{hivehost}} - hive_port: 9000/thehive - hive_apikey: {{hivekey}} - -hive_proxies: - http: '' - https: '' - -hive_alert_config: - title: '{match[rule][name]}' - type: 'NIDS' - source: 'SecurityOnion' - description: "`Hunting Pivot:` \n\n \n\n `Kibana Dashboard - Signature Drilldown:` \n\n \n\n `Kibana Dashboard - Community_ID:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" - severity: 2 - tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] - tlp: 3 - status: 'New' - follow: True - -hive_observable_data_mapping: - - ip: '{match[source][ip]}' - - ip: '{match[destination][ip]}' diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml new file mode 100644 index 000000000..cd887c9f9 --- /dev/null +++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml @@ -0,0 +1,51 @@ +{% set es = salt['pillar.get']('static:managerip', '') %} +{% set hivehost = salt['pillar.get']('static:managerip', '') %} +{% set hivekey = salt['pillar.get']('static:hivekey', '') %} +{% set MANAGER = salt['pillar.get']('manager:url_base', '') %} + +# Elastalert rule to forward Suricata alerts from Security Onion to a specified TheHive instance. +# +es_host: {{es}} +es_port: 9200 +name: Suricata-Alert +type: frequency +index: "so-ids-*" +num_events: 1 +timeframe: + minutes: 10 +buffer_time: + minutes: 10 +allow_buffer_time_overlap: true +query_key: ["rule.uuid","source.ip","destination.ip"] +realert: + days: 1 +filter: +- query: + query_string: + query: "event.module: suricata AND rule.severity:(1 OR 2)" + +alert: hivealerter + +hive_connection: + hive_host: http://{{hivehost}} + hive_port: 9000/thehive + hive_apikey: {{hivekey}} + +hive_proxies: + http: '' + https: '' + +hive_alert_config: + title: '{match[rule][name]}' + type: 'NIDS' + source: 'SecurityOnion' + description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" + severity: 2 + tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] + tlp: 3 + status: 'New' + follow: True + +hive_observable_data_mapping: + - ip: '{match[source][ip]}' + - ip: '{match[destination][ip]}' diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml new file mode 100644 index 000000000..ccb79e1e5 --- /dev/null +++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml @@ -0,0 +1,49 @@ +{% set es = salt['pillar.get']('static:managerip', '') %} +{% set hivehost = salt['pillar.get']('static:managerip', '') %} +{% set hivekey = salt['pillar.get']('static:hivekey', '') %} +{% set MANAGER = salt['pillar.get']('manager:url_base', '') %} + +# Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance. +# +es_host: {{es}} +es_port: 9200 +name: Wazuh-Alert +type: frequency +index: "so-ossec-*" +num_events: 1 +timeframe: + minutes: 10 +buffer_time: + minutes: 10 +allow_buffer_time_overlap: true +realert: + days: 1 +filter: +- query: + query_string: + query: "event.module: ossec AND rule.level>=8" + +alert: hivealerter + +hive_connection: + hive_host: http://{{hivehost}} + hive_port: 9000/thehive + hive_apikey: {{hivekey}} + +hive_proxies: + http: '' + https: '' + +hive_alert_config: + title: '{match[rule][name]}' + type: 'wazuh' + source: 'SecurityOnion' + description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n " + severity: 2 + tags: ['{match[rule][id]}','{match[host][name]}'] + tlp: 3 + status: 'New' + follow: True + +hive_observable_data_mapping: + - other: '{match[host][name]}' diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 3b0b3fafe..5703b8717 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -13,14 +13,15 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} -{% if grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %} - {% set esalert = salt['pillar.get']('master:elastalert', '1') %} - {% set esip = salt['pillar.get']('master:mainip', '') %} - {% set esport = salt['pillar.get']('master:es_port', '') %} +{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} + {% set esalert = salt['pillar.get']('manager:elastalert', '1') %} + {% set esip = salt['pillar.get']('manager:mainip', '') %} + {% set esport = salt['pillar.get']('manager:es_port', '') %} {% elif grains['role'] == 'so-node' %} - {% set esalert = salt['pillar.get']('node:elastalert', '0') %} + {% set esalert = salt['pillar.get']('elasticsearch:elastalert', '0') %} {% endif %} # Elastalert @@ -101,7 +102,7 @@ elastaconf: so-elastalert: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elastalert:{{ VERSION }} - hostname: elastalert - name: so-elastalert - user: elastalert diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 271ef40cf..4d5d5b2e4 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -1,6 +1,11 @@ -{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %} -{%- set esclustername = salt['pillar.get']('master:esclustername', '') %} -cluster.name: "{{ esclustername }}" +{%- set NODE_ROUTE_TYPE = salt['pillar.get']('elasticsearch:node_route_type', 'hot') %} +{%- if salt['pillar.get']('elasticsearch:hot_warm_enabled') or salt['pillar.get']('elasticsearch:true_cluster') %} +{%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:true_cluster_name', '') %} +{%- else %} +{%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:esclustername', '') %} +{%- endif %} +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +cluster.name: "{{ ESCLUSTERNAME }}" network.host: 0.0.0.0 # minimum_master_nodes need to be explicitly set when bound on a public IP @@ -10,19 +15,13 @@ discovery.zen.minimum_master_nodes: 1 # This is a test -- if this is here, then the volume is mounted correctly. path.logs: /var/log/elasticsearch action.destructive_requires_name: true -{%- else %} -{%- set esclustername = salt['grains.get']('host', '') %} -{%- set nodeip = salt['pillar.get']('node:mainip', '') -%} -cluster.name: "{{ esclustername }}" -network.host: 0.0.0.0 -discovery.zen.minimum_master_nodes: 1 -path.logs: /var/log/elasticsearch -action.destructive_requires_name: true transport.bind_host: 0.0.0.0 -transport.publish_host: {{ nodeip }} +transport.publish_host: {{ NODEIP }} transport.publish_port: 9300 -{%- endif %} cluster.routing.allocation.disk.threshold_enabled: true cluster.routing.allocation.disk.watermark.low: 95% cluster.routing.allocation.disk.watermark.high: 98% cluster.routing.allocation.disk.watermark.flood_stage: 98% +node.attr.box_type: {{ NODE_ROUTE_TYPE }} +node.name: {{ ESCLUSTERNAME }} +script.max_compilations_rate: 1000/1m diff --git a/salt/elasticsearch/files/ingest/beats.common b/salt/elasticsearch/files/ingest/beats.common index 0e93abb03..cafbc9e94 100644 --- a/salt/elasticsearch/files/ingest/beats.common +++ b/salt/elasticsearch/files/ingest/beats.common @@ -2,10 +2,28 @@ "description" : "beats.common", "processors" : [ {"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}}, - { "set": { "if": "ctx.winlog?.channel != null", "field": "dataset", "value": "wel-{{winlog.channel}}", "override": true } }, - { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, + { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } }, { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 2", "field": "event.dataset", "value": "process_changed_file", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.dataset", "value": "network_connection", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "process_terminated", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "driver_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 7", "field": "event.dataset", "value": "image_loaded", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 8", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 9", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 10", "field": "event.dataset", "value": "process_access", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 11", "field": "event.dataset", "value": "file_create", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 12", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 13", "field": "event.dataset", "value": "registry_value_set", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 14", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 15", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 16", "field": "event.dataset", "value": "config_change", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 22", "field": "event.dataset", "value": "dns_query", "override": true } }, { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index d8de06f31..9db5a039b 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -6,7 +6,8 @@ "field": "destination.ip", "target_field": "destination.geo", "database_file": "GeoLite2-City.mmdb", - "ignore_missing": true, + "ignore_missing": true, + "ignore_failure": true, "properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"] } }, @@ -16,6 +17,7 @@ "target_field": "source.geo", "database_file": "GeoLite2-City.mmdb", "ignore_missing": true, + "ignore_failure": true, "properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"] } }, @@ -34,14 +36,20 @@ "ignore_failure": true, "index_name_format": "yyyy.MM.dd" } - }, - { "rename": { "field": "module", "target_field": "event.module", "ignore_missing": true } }, - { "rename": { "field": "dataset", "target_field": "event.dataset", "ignore_missing": true } }, + }, + { "set": { "if": "ctx.event?.severity == 1", "field": "event.severity_label", "value": "low", "override": true } }, + { "set": { "if": "ctx.event?.severity == 2", "field": "event.severity_label", "value": "medium", "override": true } }, + { "set": { "if": "ctx.event?.severity == 3", "field": "event.severity_label", "value": "high", "override": true } }, + { "set": { "if": "ctx.event?.severity == 4", "field": "event.severity_label", "value": "critical", "override": true } }, + { "rename": { "field": "module", "target_field": "event.module", "ignore_failure": true, "ignore_missing": true } }, + { "rename": { "field": "dataset", "target_field": "event.dataset", "ignore_failure": true, "ignore_missing": true } }, { "rename": { "field": "category", "target_field": "event.category", "ignore_missing": true } }, { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_failure": true, "ignore_missing": true } }, + { "lowercase": { "field": "event.dataset", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "destination.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "source.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, + { "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "remove": { "field": [ "index_name_prefix", "message2", "type" ], diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result index 5b37655f9..80ed32d73 100644 --- a/salt/elasticsearch/files/ingest/osquery.query_result +++ b/salt/elasticsearch/files/ingest/osquery.query_result @@ -31,7 +31,25 @@ { "rename": { "field": "message3.columns.remote_port", "target_field": "remote.port", "ignore_missing": true } }, { "rename": { "field": "message3.columns.process_name", "target_field": "process.name", "ignore_missing": true } }, { "rename": { "field": "message3.columns.eventid", "target_field": "event.code", "ignore_missing": true } }, - { "set": { "if": "ctx.message3.columns?.data != null", "field": "dataset", "value": "wel-{{message3.columns.source}}", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational'", "field": "event.module", "value": "sysmon", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, + { "set": { "if": "ctx.message3.columns?.source != 'Microsoft-Windows-Sysmon/Operational'", "field": "event.dataset", "value": "{{message3.columns.source}}", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.dataset", "value": "process_creation", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 2", "field": "event.dataset", "value": "process_changed_file", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.dataset", "value": "network_connection", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 5", "field": "event.dataset", "value": "process_terminated", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 6", "field": "event.dataset", "value": "driver_loaded", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 7", "field": "event.dataset", "value": "image_loaded", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 8", "field": "event.dataset", "value": "create_remote_thread", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 9", "field": "event.dataset", "value": "raw_file_access_read", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 10", "field": "event.dataset", "value": "process_access", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 11", "field": "event.dataset", "value": "file_create", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 12", "field": "event.dataset", "value": "registry_create_delete", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 13", "field": "event.dataset", "value": "registry_value_set", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 14", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 15", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 16", "field": "event.dataset", "value": "config_change", "override": true } }, + { "set": { "if": "ctx.message3.columns?.source == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 22", "field": "event.dataset", "value": "dns_query", "override": true } }, { "rename": { "field": "message3.columns.winlog.EventData.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, { "rename": { "field": "message3.columns.winlog.EventData.destinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, { "rename": { "field": "message3.columns.winlog.EventData.destinationIp", "target_field": "destination.ip", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/ossec.alert b/salt/elasticsearch/files/ingest/ossec.alert index 2aab7f630..7654bf255 100644 --- a/salt/elasticsearch/files/ingest/ossec.alert +++ b/salt/elasticsearch/files/ingest/ossec.alert @@ -49,6 +49,9 @@ { "set": { "if": "ctx.rule.level == 13", "field": "rule.category", "value": "Unusal error (high importance)" } }, { "set": { "if": "ctx.rule.level == 14", "field": "rule.category", "value": "High importance security event" } }, { "set": { "if": "ctx.rule.level == 15", "field": "rule.category", "value": "Severe attack" } }, + { "set": { "if": "ctx.rule.level <= 7", "field": "event.severity", "value": 1, "override": true } }, + { "set": { "if": "ctx.rule.level >= 8 && ctx.rule.level <= 11", "field": "event.severity", "value": 2, "override": true } }, + { "set": { "if": "ctx.rule.level >= 12", "field": "event.severity", "value": 3, "override": true } }, { "append": { "if": "ctx.rule.level != null", "field": "tags", "value": ["alert"] } }, { "remove": { "field": [ "predecoder", "decoder" ], "ignore_missing": true, "ignore_failure": false } }, { "pipeline": { "name": "common" } } diff --git a/salt/elasticsearch/files/ingest/strelka b/salt/elasticsearch/files/ingest/strelka deleted file mode 100644 index 39783c2ce..000000000 --- a/salt/elasticsearch/files/ingest/strelka +++ /dev/null @@ -1,12 +0,0 @@ -{ - "description" : "strelka", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } }, - { "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } }, - { "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } }, - { "rename": { "field": "scan.hash", "target_field": "file.hash", "ignore_missing": true } }, - { "remove": { "field": ["host", "path", "agent"], "ignore_missing": true } }, - { "pipeline": { "name": "common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index a2e08b799..d9d6fc0f0 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -6,7 +6,21 @@ { "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } }, { "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } }, { "rename": { "field": "scan.hash", "target_field": "hash", "ignore_missing": true } }, - { "remove": { "field": ["host", "path"], "ignore_missing": true } }, + { "grok": { "field": "request.attributes.filename", "patterns": ["-%{WORD:log.id.fuid}-"] } }, + { "foreach": + { + "if": "ctx.scan?.exiftool?.keys !=null", + "field": "scan.exiftool.keys", + "processor":{ + "set": { + "field": "scan.exiftool.{{_ingest._value.key}}", + "value": "{{_ingest._value.value}}" + } + } + } + }, + { "set": { "field": "observer.name", "value": "{{agent.name}}" }}, + { "remove": { "field": ["host", "path", "message", "scan.exiftool.keys"], "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] } diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index 82486adc6..5a0cfc4df 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -7,6 +7,9 @@ { "rename":{ "field": "rule.signature_id", "target_field": "rule.uuid", "ignore_failure": true } }, { "rename":{ "field": "rule.signature_id", "target_field": "rule.signature", "ignore_failure": true } }, { "rename":{ "field": "message2.payload_printable", "target_field": "network.data.decoded", "ignore_failure": true } }, + { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, + { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, + { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, { "pipeline": { "name": "common" } } ] } diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index dd08b08a0..2bc727012 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -12,6 +12,8 @@ { "remove":{ "field": "dataset", "ignore_failure": true } }, { "rename":{ "field": "message2.event_type", "target_field": "dataset", "ignore_failure": true } }, { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, + { "set": { "field": "ingest.timestamp", "value": "{{@timestamp}}" } }, + { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, { "remove":{ "field": "agent", "ignore_failure": true } }, { "pipeline": { "name": "suricata.{{dataset}}" } } ] diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index 050c6d414..09ce7fd9f 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -23,7 +23,7 @@ { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, - { "pipeline": { "if": "ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld"} }, + { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld" } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files index f72bde097..c5fefa85f 100644 --- a/salt/elasticsearch/files/ingest/zeek.files +++ b/salt/elasticsearch/files/ingest/zeek.files @@ -4,13 +4,12 @@ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uids", "ignore_missing": true } }, { "remove": { "field": "source", "ignore_missing": true } }, { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } }, { "rename": { "field": "message2.tx_hosts.0", "target_field": "source.ip", "ignore_missing": true } }, { "remove": { "field": "message2.rx_hosts", "ignore_missing": true } }, { "remove": { "field": "message2.tx_hosts", "ignore_missing": true } }, - { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uids", "ignore_missing": true } }, + { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uid", "ignore_missing": true } }, { "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } }, { "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } }, { "rename": { "field": "message2.analyzers", "target_field": "file.analyzer", "ignore_missing": true } }, @@ -30,6 +29,7 @@ { "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } }, { "rename": { "field": "message2.extracted_cutoff", "target_field": "file.extracted.cutoff", "ignore_missing": true } }, { "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } }, + { "set": { "field": "dataset", "value": "file" } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.ftp b/salt/elasticsearch/files/ingest/zeek.ftp index 55f6b4029..45aa76055 100644 --- a/salt/elasticsearch/files/ingest/zeek.ftp +++ b/salt/elasticsearch/files/ingest/zeek.ftp @@ -1,5 +1,5 @@ { - "description" : "zeek.http", + "description" : "zeek.ftp", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.kerberos b/salt/elasticsearch/files/ingest/zeek.kerberos index 33381cd2d..0b09ebf61 100644 --- a/salt/elasticsearch/files/ingest/zeek.kerberos +++ b/salt/elasticsearch/files/ingest/zeek.kerberos @@ -13,9 +13,9 @@ { "rename": { "field": "message2.cipher", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, { "rename": { "field": "message2.forwardable", "target_field": "kerberos.ticket.forwardable", "ignore_missing": true } }, { "rename": { "field": "message2.renewable", "target_field": "kerberos.ticket.renewable", "ignore_missing": true } }, - { "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client.certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client_certificate_subject", "ignore_missing": true } }, { "rename": { "field": "message2.client_cert_fuid", "target_field": "log.id.client_certificate_fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server.certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server_certificate_subject", "ignore_missing": true } }, { "rename": { "field": "message2.server_cert_fuid", "target_field": "log.id.server_certificate_fuid", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] diff --git a/salt/elasticsearch/files/ingest/zeek.smb_mapping b/salt/elasticsearch/files/ingest/zeek.smb_mapping index 0242ab8f8..637ff414f 100644 --- a/salt/elasticsearch/files/ingest/zeek.smb_mapping +++ b/salt/elasticsearch/files/ingest/zeek.smb_mapping @@ -1,5 +1,5 @@ { - "description" : "zeek.smb_files", + "description" : "zeek.smb_mapping", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ssh b/salt/elasticsearch/files/ingest/zeek.ssh index f4685de74..03a9abc15 100644 --- a/salt/elasticsearch/files/ingest/zeek.ssh +++ b/salt/elasticsearch/files/ingest/zeek.ssh @@ -1,5 +1,5 @@ { - "description" : "zeek.conn", + "description" : "zeek.ssh", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 4e57f1342..909d30152 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -13,7 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} @@ -22,14 +23,16 @@ {% set FEATURES = '' %} {% endif %} -{% if grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %} - {% set esclustername = salt['pillar.get']('master:esclustername', '') %} - {% set esheap = salt['pillar.get']('master:esheap', '') %} +{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} + {% set esclustername = salt['pillar.get']('manager:esclustername', '') %} + {% set esheap = salt['pillar.get']('manager:esheap', '') %} {% elif grains['role'] in ['so-node','so-heavynode'] %} - {% set esclustername = salt['pillar.get']('node:esclustername', '') %} - {% set esheap = salt['pillar.get']('node:esheap', '') %} + {% set esclustername = salt['pillar.get']('elasticsearch:esclustername', '') %} + {% set esheap = salt['pillar.get']('elasticsearch:esheap', '') %} {% endif %} +{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} + vm.max_map_count: sysctl.present: - value: 262144 @@ -62,6 +65,13 @@ esingestdir: - group: 939 - makedirs: True +estemplatedir: + file.directory: + - name: /opt/so/conf/elasticsearch/templates + - user: 930 + - group: 939 + - makedirs: True + esingestconf: file.recurse: - name: /opt/so/conf/elasticsearch/ingest @@ -85,6 +95,21 @@ esyml: - group: 939 - template: jinja +#sync templates to /opt/so/conf/elasticsearch/templates +{% for TEMPLATE in TEMPLATES %} +es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: + file.managed: + - source: salt://elasticsearch/templates/{{TEMPLATE}} + {% if 'jinja' in TEMPLATE.split('.')[-1] %} + - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} + - template: jinja + {% else %} + - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1]}} + {% endif %} + - user: 930 + - group: 939 +{% endfor %} + nsmesdir: file.directory: - name: /nsm/elasticsearch @@ -101,7 +126,7 @@ eslogdir: so-elasticsearch: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}{{ FEATURES }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch @@ -141,7 +166,7 @@ so-elasticsearch-pipelines: - file: esyml - file: so-elasticsearch-pipelines-file -{% if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] and TEMPLATES %} so-elasticsearch-templates: cmd.run: - name: /usr/sbin/so-elasticsearch-templates diff --git a/salt/logstash/pipelines/templates/custom/place_custom_template_in_local b/salt/elasticsearch/templates/custom/place_custom_template_in_local similarity index 100% rename from salt/logstash/pipelines/templates/custom/place_custom_template_in_local rename to salt/elasticsearch/templates/custom/place_custom_template_in_local diff --git a/salt/elasticsearch/templates/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/so/so-beats-template.json.jinja new file mode 100644 index 000000000..6d2cf7851 --- /dev/null +++ b/salt/elasticsearch/templates/so/so-beats-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %} +{ + "index_patterns": ["so-beats-*"], + "version": 50001, + "order": 11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/salt/logstash/pipelines/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json similarity index 96% rename from salt/logstash/pipelines/templates/so/so-common-template.json rename to salt/elasticsearch/templates/so/so-common-template.json index 396e26c3c..c0167198d 100644 --- a/salt/logstash/pipelines/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -1,15 +1,16 @@ { - "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*"], + "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"], "version":50001, - "order" : 10, + "order":10, "settings":{ "number_of_replicas":0, "number_of_shards":1, - "index.refresh_interval":"30s" + "index.refresh_interval":"30s", + "index.routing.allocation.require.box_type":"hot" }, "mappings":{ - "dynamic": false, - "date_detection": false, + "dynamic":false, + "date_detection":false, "properties":{ "@timestamp":{ "type":"date" @@ -19,7 +20,7 @@ }, "osquery":{ "type":"object", - "dynamic": true + "dynamic":true }, "geoip":{ "dynamic":true, @@ -380,6 +381,10 @@ "type":"object", "dynamic": true }, + "winlog":{ + "type":"object", + "dynamic": true + }, "x509":{ "type":"object", "dynamic": true diff --git a/salt/elasticsearch/templates/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/so/so-firewall-template.json.jinja new file mode 100644 index 000000000..7bc81fd12 --- /dev/null +++ b/salt/elasticsearch/templates/so/so-firewall-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %} +{ + "index_patterns": ["so-firewall-*"], + "version":50001, + "order":11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/salt/elasticsearch/templates/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/so/so-flow-template.json.jinja new file mode 100644 index 000000000..6c8f2fa9f --- /dev/null +++ b/salt/elasticsearch/templates/so/so-flow-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %} +{ + "index_patterns": ["so-flow-*"], + "version": 50001, + "order": 11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/salt/elasticsearch/templates/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/so/so-ids-template.json.jinja new file mode 100644 index 000000000..abf37319a --- /dev/null +++ b/salt/elasticsearch/templates/so/so-ids-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %} +{ + "index_patterns": ["so-ids-*"], + "version":50001, + "order":11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/salt/elasticsearch/templates/so/so-import-template.json.jinja b/salt/elasticsearch/templates/so/so-import-template.json.jinja new file mode 100644 index 000000000..e4d68235d --- /dev/null +++ b/salt/elasticsearch/templates/so/so-import-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %} +{ + "index_patterns": ["so-import-*"], + "version":50001, + "order": 11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/salt/elasticsearch/templates/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/so/so-osquery-template.json.jinja new file mode 100644 index 000000000..47cb3ebab --- /dev/null +++ b/salt/elasticsearch/templates/so/so-osquery-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %} +{ + "index_patterns": ["so-osquery-*"], + "version":50001, + "order":11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/salt/elasticsearch/templates/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/so/so-ossec-template.json.jinja new file mode 100644 index 000000000..ce903e228 --- /dev/null +++ b/salt/elasticsearch/templates/so/so-ossec-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %} +{ + "index_patterns": ["so-ossec-*"], + "version":50001, + "order":11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/salt/elasticsearch/templates/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/so/so-strelka-template.json.jinja new file mode 100644 index 000000000..2f7db541a --- /dev/null +++ b/salt/elasticsearch/templates/so/so-strelka-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %} +{ + "index_patterns": ["so-strelka-*"], + "version":50001, + "order":11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/salt/elasticsearch/templates/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/so/so-syslog-template.json.jinja new file mode 100644 index 000000000..47f8d78e6 --- /dev/null +++ b/salt/elasticsearch/templates/so/so-syslog-template.json.jinja @@ -0,0 +1,14 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %} +{ + "index_patterns": ["so-syslog-*"], + "version":50001, + "order":11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} + diff --git a/salt/elasticsearch/templates/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/so/so-zeek-template.json.jinja new file mode 100644 index 000000000..616607f52 --- /dev/null +++ b/salt/elasticsearch/templates/so/so-zeek-template.json.jinja @@ -0,0 +1,13 @@ +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} +{ + "index_patterns": ["so-zeek-*"], + "version":50001, + "order":11, + "settings":{ + "number_of_replicas":{{ REPLICAS }}, + "number_of_shards":{{ SHARDS }}, + "index.refresh_interval":"{{ REFRESH }}" + } +} diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index da116cf2c..825ffaf64 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -1,15 +1,15 @@ {%- if grains.role == 'so-heavynode' %} -{%- set MASTER = salt['pillar.get']('sensor:mainip' '') %} +{%- set MANAGER = salt['pillar.get']('sensor:mainip' '') %} {%- else %} -{%- set MASTER = grains['master'] %} +{%- set MANAGER = salt['grains.get']('master') %} {%- endif %} {%- set HOSTNAME = salt['grains.get']('host', '') %} -{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} +{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', 'COMMUNITY') %} {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh', '0') %} -{%- set STRELKAENABLED = salt['pillar.get']('static:strelka', '0') %} -{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} +{%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} +{%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} name: {{ HOSTNAME }} @@ -75,145 +75,194 @@ filebeat.modules: filebeat.inputs: #------------------------------ Log prospector -------------------------------- {%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %} +- type: udp + enabled: true + host: "0.0.0.0:514" + fields: + module: syslog + dataset: syslog + pipeline: "syslog" + index: "so-syslog-%{+yyyy.MM.dd}" + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + fields_under_root: true - - type: udp - enabled: true - host: "0.0.0.0:514" - fields: - module: syslog - dataset: syslog - pipeline: "syslog" - index: "so-syslog-%{+yyyy.MM.dd}" - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - - - type: tcp - enabled: true - host: "0.0.0.0:514" - fields: - module: syslog - dataset: syslog - pipeline: "syslog" - index: "so-syslog-%{+yyyy.MM.dd}" - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true -{%- if BROVER != 'SURICATA' %} -{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} - - type: log - paths: - - /nsm/zeek/logs/current/{{ LOGNAME }}.log - fields: - module: zeek - dataset: {{ LOGNAME }} - category: network - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - -{%- endfor %} -{%- endif %} - - - type: log - paths: - - /suricata/eve*.json - fields: - module: suricata - dataset: common +- type: tcp + enabled: true + host: "0.0.0.0:514" + fields: + module: syslog + dataset: syslog + pipeline: "syslog" + index: "so-syslog-%{+yyyy.MM.dd}" + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + fields_under_root: true + {%- if ZEEKVER != 'SURICATA' %} + {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %} +- type: log + paths: + - /nsm/zeek/logs/current/{{ LOGNAME }}.log + fields: + module: zeek + dataset: {{ LOGNAME }} category: network + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] +- type: log + paths: + - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log + fields: + module: zeek + dataset: {{ LOGNAME }} + category: network + imported: true + processors: + - add_tags: + tags: ["import"] + - dissect: + tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" + field: "log.file.path" + target_prefix: "" + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false + {%- endfor %} + {%- endif %} - fields_under_root: true - clean_removed: false - close_removed: false +- type: log + paths: + - /nsm/suricata/eve*.json + fields: + module: suricata + dataset: common + category: network + + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false + +- type: log + paths: + - /nsm/import/*/suricata/eve*.json + fields: + module: suricata + dataset: common + category: network + imported: true + processors: + - add_tags: + tags: ["import"] + - dissect: + tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" + field: "log.file.path" + target_prefix: "" + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + + fields_under_root: true + clean_removed: false + close_removed: false {%- if STRELKAENABLED == 1 %} +- type: log + paths: + - /nsm/strelka/log/strelka.log + fields: + module: strelka + category: file + dataset: file - - type: log - paths: - - /nsm/strelka/log/strelka.log - fields: - module: strelka - category: file - dataset: file + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false + fields_under_root: true + clean_removed: false + close_removed: false {%- endif %} {%- endif %} {%- if WAZUHENABLED == 1 %} - - type: log - paths: - - /wazuh/alerts/alerts.json - fields: - module: ossec - dataset: alert - category: host - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] +- type: log + paths: + - /wazuh/alerts/alerts.json + fields: + module: ossec + dataset: alert + category: host + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - clean_removed: false - close_removed: false - -# - type: log -# paths: -# - /wazuh/archives/archives.json -# fields: -# type: ossec_archive -# fields_under_root: true -# clean_removed: false -# close_removed: false + fields_under_root: true + clean_removed: false + close_removed: false {%- endif %} -{%- if FLEETMASTER or FLEETNODE %} +{%- if FLEETMANAGER or FLEETNODE %} - - type: log - paths: - - /nsm/osquery/fleet/result.log - fields: - module: osquery - dataset: query_result - category: host +- type: log + paths: + - /nsm/osquery/fleet/result.log + fields: + module: osquery + dataset: query_result + category: host - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - clean_removed: false - close_removed: false + fields_under_root: true + clean_removed: false + close_removed: false {%- endif %} +{%- if INPUTS %} +# USER PILLAR DEFINED INPUTS +{{ INPUTS | yaml(False) }} +{%- endif %} + +{% if OUTPUT -%} +# USER PILLAR DEFINED OUTPUT +{%- set types = OUTPUT.keys() | list %} +{%- set type = types[0] %} +output.{{ type }}: + {%- for i in OUTPUT[type].items() %} + {{ i[0] }}: {{ i[1]}} + {%- endfor %} +{%- else %} #----------------------------- Elasticsearch/Logstash output --------------------------------- -{%- if grains['role'] == "so-eval" %} + {%- if grains['role'] == "so-eval" %} output.elasticsearch: enabled: true - hosts: ["{{ MASTER }}:9200"] + hosts: ["{{ MANAGER }}:9200"] pipelines: - pipeline: "%{[module]}.%{[dataset]}" indices: + - index: "so-import-%{+yyyy.MM.dd}" + when.contains: + tags: "import" - index: "so-zeek-%{+yyyy.MM.dd}" when.contains: module: "zeek" @@ -229,16 +278,16 @@ output.elasticsearch: - index: "so-strelka-%{+yyyy.MM.dd}" when.contains: module: "strelka" - + setup.template.enabled: false -{%- else %} + {%- else %} output.logstash: # Boolean flag to enable or disable the output module. enabled: true # The Logstash hosts - hosts: ["{{ MASTER }}:5644"] + hosts: ["{{ MANAGER }}:5644"] # Number of workers per Logstash host. #worker: 1 @@ -282,7 +331,8 @@ setup.template.enabled: false # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html #_source: #enabled: false -{%- endif %} + {%- endif %} +{% endif %} #============================== Kibana ===================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 897bb3937..6889b892f 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -12,8 +12,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} +{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} {% set FEATURES = "-features" %} @@ -46,21 +47,21 @@ filebeatconfsync: - user: 0 - group: 0 - template: jinja + - defaults: + INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }} + OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} so-filebeat: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-filebeat:{{ VERSION }}{{ FEATURES }} - hostname: so-filebeat - user: root - - extra_hosts: {{ MASTER }}:{{ MASTERIP }} + - extra_hosts: {{ MANAGER }}:{{ MANAGERIP }} - binds: + - /nsm:/nsm:ro - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - - /nsm/zeek:/nsm/zeek:ro - - /nsm/strelka/log:/nsm/strelka/log:ro - - /nsm/suricata:/suricata:ro - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - /opt/so/wazuh/logs/archives:/wazuh/archives:ro - - /nsm/osquery/fleet/:/nsm/osquery/fleet:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro diff --git a/salt/filebeat/pillar.example b/salt/filebeat/pillar.example new file mode 100644 index 000000000..e1731b22e --- /dev/null +++ b/salt/filebeat/pillar.example @@ -0,0 +1,22 @@ +filebeat: + config: + inputs: + - type: log + paths: + - /nsm/mylogdir/mylog.log + fields: + module: mymodule + dataset: mydataset + category: mycategory + + processors: + - drop_fields: + fields: '["source", "prospector", "input", "offset", "beat"]' + + fields_under_root: true + clean_removed: false + close_removed: false + output: + file: + path: "/tmp/filebeat" + filename: filebeat \ No newline at end of file diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index beda399e7..2500c604a 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -6,14 +6,13 @@ role: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.wazuh_api }} - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} @@ -49,9 +48,15 @@ role: beats_endpoint_ssl: portgroups: - {{ portgroups.beats_5644 }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} osquery_endpoint: portgroups: - {{ portgroups.fleet_api }} + strelka_frontend: + portgroups: + - {{ portgroups.strelka_frontend }} syslog: portgroups: - {{ portgroups.syslog }} @@ -80,19 +85,18 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} - master: + - {{ portgroups.salt_manager }} + manager: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.wazuh_api }} - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} @@ -131,6 +135,9 @@ role: beats_endpoint_ssl: portgroups: - {{ portgroups.beats_5644 }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} osquery_endpoint: portgroups: - {{ portgroups.fleet_api }} @@ -159,19 +166,18 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} - mastersearch: + - {{ portgroups.salt_manager }} + managersearch: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.wazuh_api }} - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} @@ -207,6 +213,9 @@ role: beats_endpoint_ssl: portgroups: - {{ portgroups.beats_5644 }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} osquery_endpoint: portgroups: - {{ portgroups.fleet_api }} @@ -238,19 +247,18 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} + - {{ portgroups.salt_manager }} standalone: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.wazuh_api }} - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} @@ -286,6 +294,9 @@ role: beats_endpoint_ssl: portgroups: - {{ portgroups.beats_5644 }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} osquery_endpoint: portgroups: - {{ portgroups.fleet_api }} @@ -317,17 +328,16 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} + - {{ portgroups.salt_manager }} helixsensor: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.wazuh_agent }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - - {{ portgroups.navigator }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} @@ -381,18 +391,21 @@ role: - {{ portgroups.all }} minion: portgroups: - - {{ portgroups.salt_master }} + - {{ portgroups.salt_manager }} searchnode: chain: DOCKER-USER: hostgroups: - master: + manager: portgroups: - {{ portgroups.elasticsearch_node }} dockernet: portgroups: - {{ portgroups.elasticsearch_node }} - {{ portgroups.elasticsearch_rest }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} INPUT: hostgroups: anywhere: @@ -466,4 +479,4 @@ role: - {{ portgroups.all }} localhost: portgroups: - - {{ portgroups.all }} \ No newline at end of file + - {{ portgroups.all }} diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml index 5f28d1af3..5ff6b900b 100644 --- a/salt/firewall/hostgroups.yaml +++ b/salt/firewall/hostgroups.yaml @@ -19,4 +19,4 @@ firewall: ips: delete: insert: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint', salt['pillar.get']('host:mainint')))))[0] }} \ No newline at end of file + - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} \ No newline at end of file diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 94dace60f..b8d86f253 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -48,9 +48,6 @@ firewall: mysql: tcp: - 3306 - navigator: - tcp: - - 4200 nginx: tcp: - 80 @@ -64,7 +61,7 @@ firewall: redis: tcp: - 6379 - salt_master: + salt_manager: tcp: - 4505 - 4506 @@ -74,6 +71,9 @@ firewall: ssh: tcp: - 22 + strelka_frontend: + tcp: + - 57314 syslog: tcp: - 514 @@ -89,4 +89,4 @@ firewall: - 55000 wazuh_authd: tcp: - - 1515 \ No newline at end of file + - 1515 diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls index e353eaf92..24b013704 100644 --- a/salt/fleet/event_gen-packages.sls +++ b/salt/fleet/event_gen-packages.sls @@ -1,13 +1,17 @@ -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('master') %} {% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %} {% set CURRENTPACKAGEVERSION = salt['pillar.get']('static:fleet_packages-version') %} {% set VERSION = salt['pillar.get']('static:soversion') %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{%- set FLEETNODE = salt['pillar.get']('static:fleet_node') -%} {% if CUSTOM_FLEET_HOSTNAME != None and CUSTOM_FLEET_HOSTNAME != '' %} {% set HOSTNAME = CUSTOM_FLEET_HOSTNAME %} -{% else %} +{% elif FLEETNODE %} {% set HOSTNAME = grains.host %} +{% else %} + {% set HOSTNAME = salt['pillar.get']('manager:url_base') %} {% endif %} so/fleet: @@ -19,6 +23,6 @@ so/fleet: mainip: {{ grains.host }} enroll-secret: {{ ENROLLSECRET }} current-package-version: {{ CURRENTPACKAGEVERSION }} - master: {{ MASTER }} + manager: {{ MANAGER }} version: {{ VERSION }} - \ No newline at end of file + imagerepo: {{ IMAGEREPO }} \ No newline at end of file diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 65f32e213..0b402a54b 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -2,14 +2,15 @@ {%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} {% set FLEETARCH = salt['grains.get']('role') %} {% if FLEETARCH == "so-fleet" %} {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% else %} - {% set MAINIP = salt['pillar.get']('static:masterip') %} + {% set MAINIP = salt['pillar.get']('static:managerip') %} {% endif %} include: @@ -105,7 +106,7 @@ fleet_password_none: so-fleet: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-fleet:{{ VERSION }} - hostname: so-fleet - port_bindings: - 0.0.0.0:8080:8080 diff --git a/salt/fleet/install_package.sls b/salt/fleet/install_package.sls index 3787d6111..d09de540c 100644 --- a/salt/fleet/install_package.sls +++ b/salt/fleet/install_package.sls @@ -1,4 +1,4 @@ -{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} +{%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} {%- set FLEETHOSTNAME = salt['pillar.get']('static:fleet_hostname', False) -%} {%- set FLEETIP = salt['pillar.get']('static:fleet_ip', False) -%} diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls index 783d11b6a..08661f3da 100644 --- a/salt/freqserver/init.sls +++ b/salt/freqserver/init.sls @@ -13,6 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} + # Create the user fservergroup: group.present: @@ -37,13 +39,13 @@ freqlogdir: so-freqimage: cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3 + - name: docker pull --disable-content-trust=false docker.io/{{ IMAGEREPO }}/so-freqserver:HH1.0.3 so-freq: docker_container.running: - require: - so-freqimage - - image: docker.io/soshybridhunter/so-freqserver:HH1.0.3 + - image: docker.io/{{ IMAGEREPO }}/so-freqserver:HH1.0.3 - hostname: freqserver - name: so-freqserver - user: freqserver diff --git a/salt/grafana/dashboards/master/master.json b/salt/grafana/dashboards/manager/manager.json similarity index 99% rename from salt/grafana/dashboards/master/master.json rename to salt/grafana/dashboards/manager/manager.json index d1b2bf899..bf2580d34 100644 --- a/salt/grafana/dashboards/master/master.json +++ b/salt/grafana/dashboards/manager/manager.json @@ -12,7 +12,7 @@ } ] }, - "description": "This Dashboard provides a general overview of the Master", + "description": "This Dashboard provides a general overview of the Manager", "editable": true, "gnetId": 2381, "graphTooltip": 0, @@ -4162,7 +4162,7 @@ ] }, "timezone": "browser", - "title": "Master Node - {{ SERVERNAME }} Overview", + "title": "Manager Node - {{ SERVERNAME }} Overview", "uid": "{{ UID }}", "version": 3 } \ No newline at end of file diff --git a/salt/grafana/dashboards/mastersearch/mastersearch.json b/salt/grafana/dashboards/managersearch/managersearch.json similarity index 99% rename from salt/grafana/dashboards/mastersearch/mastersearch.json rename to salt/grafana/dashboards/managersearch/managersearch.json index 5ed9f9617..485509477 100644 --- a/salt/grafana/dashboards/mastersearch/mastersearch.json +++ b/salt/grafana/dashboards/managersearch/managersearch.json @@ -13,7 +13,7 @@ } ] }, - "description": "This Dashboard provides a general overview of a MasterSearch Node", + "description": "This Dashboard provides a general overview of a ManagerSearch Node", "editable": true, "gnetId": 2381, "graphTooltip": 0, diff --git a/salt/grafana/dashboards/standalone/standalone.json b/salt/grafana/dashboards/standalone/standalone.json index 7624e72f6..5b11eefb4 100644 --- a/salt/grafana/dashboards/standalone/standalone.json +++ b/salt/grafana/dashboards/standalone/standalone.json @@ -461,7 +461,7 @@ "timeFrom": null, "timeRegions": [], "timeShift": null, - "title": "Panel Title{{ SERVERNAME }} - Kibana CPU", + "title": "{{ SERVERNAME }} - Kibana CPU", "tooltip": { "shared": true, "sort": 0, diff --git a/salt/grafana/etc/dashboards/dashboard.yml b/salt/grafana/etc/dashboards/dashboard.yml index 9ae71e6a4..72f77f845 100644 --- a/salt/grafana/etc/dashboards/dashboard.yml +++ b/salt/grafana/etc/dashboards/dashboard.yml @@ -3,20 +3,20 @@ apiVersion: 1 providers: {%- if grains['role'] != 'so-eval' %} -- name: 'Master' - folder: 'Master' +- name: 'Manager' + folder: 'Manager' type: file disableDeletion: false editable: true options: - path: /etc/grafana/grafana_dashboards/master -- name: 'Master Search' - folder: 'Master Search' + path: /etc/grafana/grafana_dashboards/manager +- name: 'Manager Search' + folder: 'Manager Search' type: file disableDeletion: false editable: true options: - path: /etc/grafana/grafana_dashboards/mastersearch + path: /etc/grafana/grafana_dashboards/managersearch - name: 'Sensor Nodes' folder: 'Sensor Nodes' type: file diff --git a/salt/grafana/etc/datasources/influxdb.yaml b/salt/grafana/etc/datasources/influxdb.yaml index c9f98dc57..c70fd7137 100644 --- a/salt/grafana/etc/datasources/influxdb.yaml +++ b/salt/grafana/etc/datasources/influxdb.yaml @@ -1,4 +1,4 @@ -{%- set MASTER = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGER = salt['pillar.get']('static:managerip', '') %} apiVersion: 1 deleteDatasources: @@ -10,7 +10,7 @@ datasources: type: influxdb access: proxy database: telegraf - url: https://{{ MASTER }}:8086 + url: https://{{ MANAGER }}:8086 jsonData: tlsAuth: false tlsAuthWithCACert: false diff --git a/salt/grafana/etc/grafana.ini b/salt/grafana/etc/grafana.ini index 0327b8bc5..3486ff241 100644 --- a/salt/grafana/etc/grafana.ini +++ b/salt/grafana/etc/grafana.ini @@ -226,13 +226,13 @@ log_queries = #################################### Anonymous Auth ########################## [auth.anonymous] # enable anonymous access -;enabled = false +enabled = true # specify organization name that should be used for unauthenticated users -;org_name = Main Org. +org_name = Main Org. # specify role for unauthenticated users -;org_role = Viewer +org_role = Viewer #################################### Github Auth ########################## [auth.github] diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index d3c457944..e63c9a9c4 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,8 +1,9 @@ -{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} -{% set MASTER = salt['grains.get']('master') %} +{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} +{% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} -{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} # Grafana all the things grafanadir: @@ -28,14 +29,14 @@ grafanadashdir: grafanadashmdir: file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards/master + - name: /opt/so/conf/grafana/grafana_dashboards/manager - user: 939 - group: 939 - makedirs: True grafanadashmsdir: file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards/mastersearch + - name: /opt/so/conf/grafana/grafana_dashboards/managersearch - user: 939 - group: 939 - makedirs: True @@ -76,46 +77,46 @@ grafanaconf: - template: jinja - source: salt://grafana/etc -{% if salt['pillar.get']('mastertab', False) %} -{% for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %} +{% if salt['pillar.get']('managertab', False) %} +{% for SN, SNDATA in salt['pillar.get']('managertab', {}).items() %} {% set NODETYPE = SN.split('_')|last %} {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} -dashboard-master: +dashboard-manager: file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json + - name: /opt/so/conf/grafana/grafana_dashboards/manager/{{ SN }}-Manager.json - user: 939 - group: 939 - template: jinja - - source: salt://grafana/dashboards/master/master.json + - source: salt://grafana/dashboards/manager/manager.json - defaults: SERVERNAME: {{ SN }} MANINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.manint }} CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} + UID: so_overview ROOTFS: {{ SNDATA.rootfs }} NSMFS: {{ SNDATA.nsmfs }} {% endfor %} {% endif %} -{% if salt['pillar.get']('mastersearchtab', False) %} -{% for SN, SNDATA in salt['pillar.get']('mastersearchtab', {}).items() %} +{% if salt['pillar.get']('managersearchtab', False) %} +{% for SN, SNDATA in salt['pillar.get']('managersearchtab', {}).items() %} {% set NODETYPE = SN.split('_')|last %} {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %} -dashboard-mastersearch: +dashboard-managersearch: file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/mastersearch/{{ SN }}-MasterSearch.json + - name: /opt/so/conf/grafana/grafana_dashboards/managersearch/{{ SN }}-ManagerSearch.json - user: 939 - group: 939 - template: jinja - - source: salt://grafana/dashboards/mastersearch/mastersearch.json + - source: salt://grafana/dashboards/managersearch/managersearch.json - defaults: SERVERNAME: {{ SN }} MANINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.manint }} CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} + UID: so_overview ROOTFS: {{ SNDATA.rootfs }} NSMFS: {{ SNDATA.nsmfs }} @@ -138,7 +139,7 @@ dashboard-standalone: MANINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.manint }} CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} + UID: so_overview ROOTFS: {{ SNDATA.rootfs }} NSMFS: {{ SNDATA.nsmfs }} @@ -207,7 +208,7 @@ dashboard-{{ SN }}: MANINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.monint }} CPUS: {{ SNDATA.totalcpus }} - UID: {{ SNDATA.guid }} + UID: so_overview ROOTFS: {{ SNDATA.rootfs }} NSMFS: {{ SNDATA.nsmfs }} @@ -216,7 +217,7 @@ dashboard-{{ SN }}: so-grafana: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-grafana:{{ VERSION }} - hostname: grafana - user: socore - binds: diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf index e8928c495..84144a495 100644 --- a/salt/idstools/etc/disable.conf +++ b/salt/idstools/etc/disable.conf @@ -1,3 +1,4 @@ +{%- set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%} # idstools - disable.conf # Example of disabling a rule by signature ID (gid is optional). @@ -8,3 +9,8 @@ # - All regular expression matches are case insensitive. # re:hearbleed # re:MS(0[7-9]|10)-\d+ +{%- if disabled_sids != None %} +{%- for sid in disabled_sids %} +{{ sid }} +{%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf index b7738677c..5da0bfc61 100644 --- a/salt/idstools/etc/enable.conf +++ b/salt/idstools/etc/enable.conf @@ -1,3 +1,4 @@ +{%- set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%} # idstools-rulecat - enable.conf # Example of enabling a rule by signature ID (gid is optional). @@ -8,3 +9,8 @@ # - All regular expression matches are case insensitive. # re:hearbleed # re:MS(0[7-9]|10)-\d+ +{%- if enabled_sids != None %} +{%- for sid in enabled_sids %} +{{ sid }} +{%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/idstools/etc/modify.conf b/salt/idstools/etc/modify.conf index 79d038c26..4ea75ada2 100644 --- a/salt/idstools/etc/modify.conf +++ b/salt/idstools/etc/modify.conf @@ -1,14 +1,12 @@ +{%- set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%} # idstools-rulecat - modify.conf # Format: "" "" # Example changing the seconds for rule 2019401 to 3600. #2019401 "seconds \d+" "seconds 3600" - -# Change all trojan-activity rules to drop. Its better to setup a -# drop.conf for this, but this does show the use of back references. -#re:classtype:trojan-activity "(alert)(.*)" "drop\\2" - -# For compatibility, most Oinkmaster modifysid lines should work as -# well. -#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}" +{%- if modify_sids != None %} +{%- for sid in modify_sids %} +{{ sid }} +{%- endfor %} +{%- endif %} \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 441ce3c5b..b7b7f8424 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,21 @@ ---suricata-version=4.0 +{%- set URLS = salt['pillar.get']('idstools:config:urls') -%} +{%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} +{%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} +--suricata-version=5.0 --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf +{%- if RULESET == 'ETOPEN' %} +--etopen +{%- elif RULESET == 'ETPRO' %} +--etpro={{ OINKCODE }} +{%- elif RULESET == 'TALOS' %} +--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} +{%- endif %} +{%- if URLS != None %} +{%- for URL in URLS %} +--url={{ URL }} +{%- endfor %} +{%- endif %} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index d145a4e15..3313fa901 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -13,7 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} # IDSTools Setup idstoolsdir: file.directory: @@ -60,9 +61,11 @@ synclocalnidsrules: so-idstools: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idstools:{{ VERSION }} - hostname: so-idstools - user: socore - binds: - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro - /opt/so/rules/nids:/opt/so/rules/nids:rw + - watch: + - file: idstoolsetcsync diff --git a/salt/idstools/localrules/local.rules b/salt/idstools/localrules/local.rules index e01ea913c..95be9156f 100644 --- a/salt/idstools/localrules/local.rules +++ b/salt/idstools/localrules/local.rules @@ -1 +1 @@ -# Put your own custom Snort/Suricata rules in here. +# Put your own custom Snort/Suricata rules in /opt/so/saltstack/local/salt/idstools/localrules/. \ No newline at end of file diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 774db2187..6d8ba4566 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,9 +1,9 @@ -{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %} -{% set MASTER = salt['grains.get']('master') %} +{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} +{% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} - -{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone'] and GRAFANA == 1 %} # Influx DB influxconfdir: @@ -26,7 +26,7 @@ influxdbconf: so-influxdb: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-influxdb:{{ VERSION }} - hostname: influxdb - environment: - INFLUXDB_HTTP_LOG_ENABLED=false diff --git a/salt/kibana/bin/keepkibanahappy.sh b/salt/kibana/bin/keepkibanahappy.sh index 28967ee24..e8534ec12 100644 --- a/salt/kibana/bin/keepkibanahappy.sh +++ b/salt/kibana/bin/keepkibanahappy.sh @@ -1,4 +1,4 @@ -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." COUNT=0 diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 81872fd6a..451e848a1 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -1,20 +1,20 @@ #!/bin/bash -# {%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master', False) -%} +# {%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager', False) -%} # {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node', False) -%} -# {%- set MASTER = salt['pillar.get']('master:url_base', '') %} +# {%- set MANAGER = salt['pillar.get']('manager:url_base', '') %} KIBANA_VERSION="7.6.1" # Copy template file cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_objects.ndjson -# {% if FLEET_NODE or FLEET_MASTER %} +# {% if FLEET_NODE or FLEET_MANAGER %} # Fleet IP -sed -i "s/FLEETPLACEHOLDER/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson +#sed -i "s/FLEETPLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson # {% endif %} -# SOCtopus and Master -sed -i "s/PLACEHOLDER/{{ MASTER }}/g" /opt/so/conf/kibana/saved_objects.ndjson +# SOCtopus and Manager +sed -i "s/PLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson # Load saved objects curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/conf/kibana/saved_objects.ndjson > /dev/null 2>&1 diff --git a/salt/kibana/etc/kibana.yml b/salt/kibana/etc/kibana.yml index dd0d6faa9..4d19b251b 100644 --- a/salt/kibana/etc/kibana.yml +++ b/salt/kibana/etc/kibana.yml @@ -1,6 +1,6 @@ --- # Default Kibana configuration from kibana-docker. -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} server.name: kibana server.host: "0" server.basePath: /kibana diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index 152393142..4bbf891b4 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -1,710 +1,725 @@ -{"attributes":{"fieldFormatMap":"{\"match_body.source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"match_body.destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.slack_webhook_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_webhook_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_sent\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.signature_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._index.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lat\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lon\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_matches\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-sourceip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-sourceip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matches\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"starttime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"time_taken\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traceback\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traceback.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"until\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:elastalert_status*"},"id":"*:elastalert_status*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-06-15T18:49:59.193Z","version":"WzkwLDFd"} -{"attributes":{"fieldFormatMap":"{\"_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PCAPPLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{value}}\"}},\"uid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"fuid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"resp_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"orig_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"sid\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"port\":{\"id\":\"number\",\"params\":{\"pattern\":\"0.[000]\"}},\"query\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"query.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"signature_info\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{rawValue}}\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"duration\":{\"id\":\"duration\",\"params\":{\"outputFormat\":\"asSeconds\",\"outputPrecision\":6}},\"missed_bytes\":{\"id\":\"bytes\"},\"missing_bytes\":{\"id\":\"bytes\"},\"original_bytes\":{\"id\":\"bytes\"},\"original_ip_bytes\":{\"id\":\"bytes\"},\"overflow_bytes\":{\"id\":\"bytes\"},\"respond_bytes\":{\"id\":\"bytes\"},\"respond_ip_bytes\":{\"id\":\"bytes\"},\"seen_bytes\":{\"id\":\"bytes\"},\"total_bytes\":{\"id\":\"bytes\"},\"rtt\":{\"id\":\"number\",\"params\":{\"pattern\":\"0,0.[0000000]\"}},\"uids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"osquery.LiveQuery\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"LiveQuery\"}},\"TheHive\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"\",\"labelTemplate\":\"Add2Hive\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ack\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ack.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints.path_len\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_host.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_fqdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.arch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.arch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.dpkg_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.dpkg_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.package\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.package.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.args.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.cmd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.egroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.egroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.euser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.euser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.fgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.fgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nlwp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nlwp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pgrp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pgrp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.processor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.processor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.resident\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.resident.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.rgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.rgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.sgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.sgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.share\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.share.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.start_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.start_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.stime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.stime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.suser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.suser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tgid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tgid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.utime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.utime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.vm_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.vm_size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.format\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.format.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.multiarch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.multiarch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.section.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.vendor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.vendor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.ftscomment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.ftscomment.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.parent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.parent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted_cutoff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted_cutoff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"framed_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"framed_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"full_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"full_log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_responses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_responses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ecn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_ecn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3s\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3s.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"options.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.LiveQuery\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.LiveQuery.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.calendarTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.calendarTime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.shell.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.counter\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hardware_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hardware_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostIdentifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostIdentifier.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.unixTime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prospector.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_location.country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_dns_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_dns_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_nb_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_nb_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_tree_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_tree_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.event.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.perm_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tcp_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tcp_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"urg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"urg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.firedtimes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gdpr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gdpr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gpg13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gpg13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.mail\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.pci_dss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.pci_dss.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"window\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"window.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-*"},"id":"*:logstash-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Network Data","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Datasets** \\n[Connections](/kibana/app/kibana#/dashboard/0cc628b0-6e9f-11ea-9266-1fd14ca6af34) | [DCE/RPC](/kibana/app/kibana#/dashboard/9e882df0-72c5-11ea-8dd2-9d8795a1200b) |\\n[DHCP](/kibana/app/kibana#/dashboard/80625c10-96dd-11ea-814e-bb515e873c2c) \\n[DNP3](/kibana/app/kibana#/dashboard/b1f52180-755a-11ea-9565-7315f4ee5cac) | [DNS](/kibana/app/kibana#/dashboard/55ac6bf0-6ec4-11ea-9266-1fd14ca6af34) |\\n[FTP](/kibana/app/kibana#/dashboard/739bfad0-755a-11ea-9565-7315f4ee5cac) |\\n[HTTP](/kibana/app/kibana#/dashboard/44e9c820-6eb1-11ea-9266-1fd14ca6af34) | [IRC](/kibana/app/kibana#/dashboard/38523560-75ba-11ea-9565-7315f4ee5cac) |\\n[Kerberos](/kibana/app/kibana#/dashboard/b207ab90-75bc-11ea-9565-7315f4ee5cac) \\n[Modbus](/kibana/app/kibana#/dashboard/886a7b90-75bd-11ea-9565-7315f4ee5cac) | \\n[MySQL](/kibana/app/kibana#/dashboard/c3ced6d0-75be-11ea-9565-7315f4ee5cac) | \\n[NTLM](/kibana/app/kibana#/dashboard/558292e0-75c1-11ea-9565-7315f4ee5cac) | \\n[RADIUS](/kibana/app/kibana#/dashboard/b9769e60-75c4-11ea-9565-7315f4ee5cac) | [RDP](/kibana/app/kibana#/dashboard/5b743150-75c5-11ea-9565-7315f4ee5cac) | \\n[RFB](/kibana/app/kibana#/dashboard/c8b3c360-75c6-11ea-9565-7315f4ee5cac) | [SIP](/kibana/app/kibana#/dashboard/dd98e260-75c6-11ea-9565-7315f4ee5cac) \\n[SMB](/kibana/app/kibana#/dashboard/f24d7b80-75c6-11ea-9565-7315f4ee5cac) | [SMTP](/kibana/app/kibana#/dashboard/00304500-75e7-11ea-9565-7315f4ee5cac) | [SNMP](/kibana/app/kibana#/dashboard/96522610-75e8-11ea-9565-7315f4ee5cac) | \\n[SSH](/kibana/app/kibana#/dashboard/9dfd77e0-75eb-11ea-9565-7315f4ee5cac) | [SSL](/kibana/app/kibana#/dashboard/efae8de0-75eb-11ea-9565-7315f4ee5cac) | [Syslog](/kibana/app/kibana#/dashboard/66499a20-75ed-11ea-9565-7315f4ee5cac) | [Tunnels](/kibana/app/kibana#/dashboard/c962dd60-75ed-11ea-9565-7315f4ee5cac) | [X.509](/kibana/app/kibana#/dashboard/2e0865f0-75ee-11ea-9565-7315f4ee5cac) \\n\"},\"aggs\":[]}"},"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEsMV0="} -{"attributes":{"fieldFormatMap":"{\"network.community_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:network.community_id,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(network.community_id:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{ value }}\"}},\"client.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"server.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"Push to TheHive\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"\",\"labelTemplate\":\"Click to create an alert in TheHive\"}},\"event.dataset\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.dataset.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"osquery.result.live_query\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://FLEETPLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"osquery.result.live_query.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://FLEETPLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ip\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.id.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.id.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.ip\"}}},{\"name\":\"client.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.port\"}}},{\"name\":\"client.user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"connection.bytes.missed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.history\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.history.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.local.originator\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.local.responder\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"data.data\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.data\"}}},{\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.euid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"name\":\"data.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gid\"}}},{\"name\":\"data.home\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.home.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.home\"}}},{\"name\":\"data.pwd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.pwd\"}}},{\"name\":\"data.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.shell\"}}},{\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.srcport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcport\"}}},{\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.srcuser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"name\":\"dce_rpc.endpoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.endpoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.named_pipe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.named_pipe.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.ip\"}}},{\"name\":\"destination.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.hostname\"}}},{\"name\":\"destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.ip\"}}},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.assigned_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.assigned_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.lease_time\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.message_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.message_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.requested_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.requested_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dnp3.fc_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_request\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_request.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.iin\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.answers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.answers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.answers\"}}},{\"name\":\"dns.authoritative\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.highest_registered_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.highest_registered_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.parent_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.parent_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.class_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.rejected\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.type_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.recursion.available\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.recursion.desired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.reserved\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.response.code_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.subdomain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.subdomain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.top_level_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.truncated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.ttls\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"error.reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"file.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.aslr\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.missing\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.overflow\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.seen\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.total\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_integrity\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.compile_timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.compile_timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.debug_data\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.dep\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.cutoff\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.extracted.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.is_64bit\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_exe\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.local_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mime_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mimetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mimetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.orig_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.os\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.os.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.resp_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.section_names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.section_names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.seh\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.table.cert\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.export\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.import\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.timed_out\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.times_accessed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_accessed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_changed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_changed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_modified\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_modified.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"ftp.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.data_channel_destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_destination.ip\"}}},{\"name\":\"ftp.data_channel_destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_passive\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_source.ip\"}}},{\"name\":\"ftp.password\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.password.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.hassh\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.hassh.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.ja3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3s\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3s.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.mtime_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.perm_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.size_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.size_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_before\"}}},{\"name\":\"host.syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"http.info_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.info_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.info_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.proxied\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.proxied.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.referrer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.referrer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.trans_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.virtual_host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.virtual_host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"ingest.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ingest.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"irc.command.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.nickname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.nickname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"kerberos.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.error_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.error_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.request_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.request_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.server.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.server.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.server.certificate.subject\"}}},{\"name\":\"kerberos.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.forwardable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.renewable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.valid.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.until\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.until.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.full\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.full.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.id.client_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.client_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.orig_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.orig_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.resp_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.resp_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.server_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.server_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.tunnel_parents\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.tunnel_parents.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.location.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.previous_log\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.previous_log.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.previous_log\"}}},{\"name\":\"log.previous_output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.previous_output.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.previous_output\"}}},{\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"modbus.exception\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.exception.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.exception\"}}},{\"name\":\"modbus.function\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.function.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"mysql.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.response\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.response.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.rows\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.community_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.data.decoded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.data.decoded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.transport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"notice.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.note.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.p\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice.peer_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.peer_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.sub_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.sub_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.suppress_for\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm.server.dns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.dns.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.nb.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.nb.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.tree.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.tree.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"observer.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"osquery.result.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.calendar_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.calendar_time.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendar_time\"}}},{\"name\":\"osquery.result.codename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.codename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.columns.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.address\"}}},{\"name\":\"osquery.result.columns.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.description\"}}},{\"name\":\"osquery.result.columns.directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.directory\"}}},{\"name\":\"osquery.result.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid\"}}},{\"name\":\"osquery.result.columns.gid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid_signed\"}}},{\"name\":\"osquery.result.columns.hostnames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.hostnames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hostnames\"}}},{\"name\":\"osquery.result.columns.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.shell\"}}},{\"name\":\"osquery.result.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid\"}}},{\"name\":\"osquery.result.columns.uid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid_signed\"}}},{\"name\":\"osquery.result.columns.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.username\"}}},{\"name\":\"osquery.result.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uuid\"}}},{\"name\":\"osquery.result.counter\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.endpoint_ip1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.epoch\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.hardware_serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hardware_serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.host_identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.host_identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.host_identifier\"}}},{\"name\":\"osquery.result.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.live_query\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.live_query.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.numerics\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.unix_time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"radius.framed_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.framed_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"rdp.certificate_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_permanent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.certificate_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.client_build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.client_build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.cookie\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.cookie.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.desktop.height\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.desktop.width\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.encryption_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.keyboard_layout\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.keyboard_layout.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.requested_color_depth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.requested_color_depth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.security_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.security_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"rule.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.cis\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.cis.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.cis\"}}},{\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.frequency\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gdpr.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gpg13.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.groups.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hipaa.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.metadata.affected_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.affected_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.attack_target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.attack_target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.created_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.created_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.deployment\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.deployment.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.former_category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.former_category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.malware_family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.malware_family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.performance_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.performance_impact.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.signature_severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.signature_severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.tag\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.tag.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.updated_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.updated_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.nist_800_53.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.pci_dss.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.rev\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.uuid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.ip\"}}},{\"name\":\"server.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.port\"}}},{\"name\":\"server.reply_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"sip.call_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.call_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.content_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.request.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.response.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.seq\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.seq.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.transaction.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"smb.file_system\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.file_system.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.share_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.share_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smtp.cc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.cc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.first_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.first_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.helo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.in_reply_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.in_reply_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.is_webmail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.last_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.last_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.mail_date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.message_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.message_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.recipient_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.recipient_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.second_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.second_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.tls\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.transaction_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"snmp.community\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.community.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.display_string\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.display_string.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.get.bulk_requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.responses\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.set.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.up_since\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.up_since.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"socks.bound.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.bound.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.request.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.request.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.version.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.major\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor2\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.unparsed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.unparsed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.ip\"}}},{\"name\":\"source.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.hostname\"}}},{\"name\":\"source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.ip\"}}},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.attempts\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.cipher_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.cipher_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.compression_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.compression_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.direction.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.hassh_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.host_key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.kex_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.kex_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.mac_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.mac_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.client.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.last_alert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.last_alert.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.next_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.next_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.validation_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.validation_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"syslog.facility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.facility.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.facility\"}}},{\"name\":\"syslog.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.severity\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"tunnel.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"user.escalated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.escalated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.escalated\"}}},{\"name\":\"user.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.gid\"}}},{\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"user.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.shell\"}}},{\"name\":\"user.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.uid\"}}},{\"name\":\"version.minor3\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.notice\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.peer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.peer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"x509.basic_constraints.ca\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.exponent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.exponent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.key.algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.key.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.not_valid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.signing_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.signing_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.san_dns\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.san_dns.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}},{\"name\":\"Push to TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'https://PLACEHOLDER/soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","timeFieldName":"@timestamp","title":"*:so-*"},"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-06-16T12:45:20.069Z","version":"Wzc1MywyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - All Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - All Logs\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":29}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Logs Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Sender","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Sender\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From\"}}]}"},"id":"7a789740-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Recipient","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Recipient\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"To\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.to.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Recipient\"}}]}"},"id":"a5742950-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - TLS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - TLS\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.tls: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TLS\"}}]}"},"id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzksMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}"},"id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smtp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\"},\"panelIndex\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\"},\"panelIndex\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\"},\"panelIndex\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"d31027fb-a090-474f-9863-712ef30c0b3e\"},\"panelIndex\":\"d31027fb-a090-474f-9863-712ef30c0b3e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\"},\"panelIndex\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\"},\"panelIndex\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\"},\"panelIndex\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":18,\"h\":18,\"i\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\"},\"panelIndex\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":27,\"w\":15,\"h\":18,\"i\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\"},\"panelIndex\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\"},\"panelIndex\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SMTP","version":1},"id":"00304500-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"7a789740-75e7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"a5742950-75e7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyLDFd"} -{"attributes":{"columns":["note","source_ip","destination_ip","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Notices - Logs","version":1},"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e) \\n[Help](/kibana/app/kibana#/dashboard/AV6-POJSDwoBUzALqKAg) \\n\\n**Alert Data** \\n[Bro Notices](/kibana/app/kibana#/dashboard/01600fb0-34e4-11e7-9669-7f1d3242b798) \\n[ElastAlert](/kibana/app/kibana#/dashboard/1d98d620-7dce-11e7-846a-150cdcaf3374) \\n[HIDS](/kibana/app/kibana#/dashboard/0de7a390-3644-11e7-a6f7-4f44d7bf1c33) \\n[NIDS](/kibana/app/kibana#/dashboard/7f27a830-34e5-11e7-9669-7f1d3242b798)   \\n\\n**Bro Hunting** \\n[Connections](/kibana/app/kibana#/dashboard/e0a34b90-34e6-11e7-9118-45bd317f0ca4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/46582d50-3af2-11e7-a83b-b1b4da7d15f4) \\n[DHCP](/kibana/app/kibana#/dashboard/85348270-357b-11e7-ac34-8965f6420c51) \\n[DNP3](/kibana/app/kibana#/dashboard/2fdf5bf0-3581-11e7-98ef-19df58fe538b) \\n[DNS](/kibana/app/kibana#/dashboard/ebf5ec90-34bf-11e7-9b32-bb903919ead9) \\n[Files](/kibana/app/kibana#/dashboard/2d315d80-3582-11e7-98ef-19df58fe538b) \\n[FTP](/kibana/app/kibana#/dashboard/27f3b380-3583-11e7-a588-05992195c551) \\n[HTTP](/kibana/app/kibana#/dashboard/230134a0-34c6-11e7-8360-0b86c90983fd) \\n[Intel](/kibana/app/kibana#/dashboard/468022c0-3583-11e7-a588-05992195c551) \\n[IRC](/kibana/app/kibana#/dashboard/56a34ce0-3583-11e7-a588-05992195c551) \\n[Kerberos](/kibana/app/kibana#/dashboard/6b0d4870-3583-11e7-a588-05992195c551) \\n[Modbus](/kibana/app/kibana#/dashboard/70c005f0-3583-11e7-a588-05992195c551) \\n[MySQL](/kibana/app/kibana#/dashboard/7929f430-3583-11e7-a588-05992195c551) \\n[NTLM](/kibana/app/kibana#/dashboard/022713e0-3ab0-11e7-a83b-b1b4da7d15f4) \\n[PE](/kibana/app/kibana#/dashboard/8a10e380-3583-11e7-a588-05992195c551) \\n[RADIUS](/kibana/app/kibana#/dashboard/90b246c0-3583-11e7-a588-05992195c551) \\n[RDP](/kibana/app/kibana#/dashboard/97f8c3a0-3583-11e7-a588-05992195c551) \\n[RFB](/kibana/app/kibana#/dashboard/9ef20ae0-3583-11e7-a588-05992195c551) \\n[SIP](/kibana/app/kibana#/dashboard/ad3c0830-3583-11e7-a588-05992195c551) \\n[SMB](/kibana/app/kibana#/dashboard/b3a53710-3aaa-11e7-8b17-0d8709b02c80) \\n[SMTP](/kibana/app/kibana#/dashboard/b10a9c60-3583-11e7-a588-05992195c551) \\n[SNMP](/kibana/app/kibana#/dashboard/b65c2710-3583-11e7-a588-05992195c551) \\n[Software](/kibana/app/kibana#/dashboard/c2c99c30-3583-11e7-a588-05992195c551) \\n[SSH](/kibana/app/kibana#/dashboard/c6ccfc00-3583-11e7-a588-05992195c551) \\n[SSL](/kibana/app/kibana#/dashboard/cca67b60-3583-11e7-a588-05992195c551) \\n[Syslog](/kibana/app/kibana#/dashboard/c4bbe040-76b3-11e7-ba96-cba76a1e264d) \\n[Tunnels](/kibana/app/kibana#/dashboard/d7b54ae0-3583-11e7-a588-05992195c551) \\n[Weird](/kibana/app/kibana#/dashboard/de2da250-3583-11e7-a588-05992195c551) \\n[X.509](/kibana/app/kibana#/dashboard/e5aa7170-3583-11e7-a588-05992195c551) \\n\\n**Host Hunting** \\n[Autoruns](/kibana/app/kibana#/dashboard/61d43810-6d62-11e7-8ddb-e71eb260f4a3) \\n[Beats](/kibana/app/kibana#/dashboard/AWBLNS3CRuBloj96jxub) \\n[Osquery](/kibana/app/kibana#/dashboard/9d0e2da0-14e1-11e9-82f7-0da02d93a48b) \\n[OSSEC](/kibana/app/kibana#/dashboard/3a457d70-3583-11e7-a588-05992195c551)  \\n[Sysmon](/kibana/app/kibana#/dashboard/6d189680-6d62-11e7-8ddb-e71eb260f4a3) \\n\\n**Other** \\n[Domain Stats](/kibana/app/kibana#/dashboard/AWAi6wvxAvKNGEbUWO_j) \\n[Firewall](/kibana/app/kibana#/dashboard/50173bd0-3582-11e7-98ef-19df58fe538b) \\n[Frequency](/kibana/app/kibana#/dashboard/AWAi5k4jAvKNGEbUWFis) \\n[Stats](/kibana/app/kibana#/dashboard/130017f0-46ce-11e7-946f-1bfb1be7c36b) \\n[Syslog](/kibana/app/kibana#/dashboard/4323af90-76e5-11e7-ab14-e1a4c1bc11e0)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}"},"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Source IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Source IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"66e26ad0-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Destination IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"7c47b650-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Notice Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}}],\"listeners\":{}}"},"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_mime_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"53c62730-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}"},"id":"793c2640-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notice - Destination Port (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Notice - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Notice - Message/Sub-Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notice - Message/Sub-Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sub_msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sub-Message\"}}],\"listeners\":{}}"},"id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Notices - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG1uC-xQT5EBNmq3dP","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Notices - Notice Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notices - Notice Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Note\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notices - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"1a879c90-4ca5-11e8-888d-71b91451cf05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":136,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":96,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"17\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":160,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"18\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Notices","version":1},"id":"01600fb0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"66e26ad0-3580-11e7-98ef-19df58fe538b","name":"panel_2","type":"visualization"},{"id":"7c47b650-3580-11e7-98ef-19df58fe538b","name":"panel_3","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"53c62730-39ad-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"793c2640-39ad-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"1a879c90-4ca5-11e8-888d-71b91451cf05","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3LDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ntlm\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NTLM - Logs","version":1},"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NTLM - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NTLM - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCEx7xQT5EBNmq4Vf","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname to Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}"},"id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server NetBIOS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server NetBIOS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_nb_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server NetBIOS Name\"}}]}"},"id":"c23ea470-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server DNS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server DNS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_dns_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server DNS Name\"}}]}"},"id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server Tree Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server Tree Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_tree_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Tree Name\"}}]}"},"id":"2a054320-0edd-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":53,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":77,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":8,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":53,\"w\":16,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":53,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":35,\"y\":32,\"w\":13,\"h\":21,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":22,\"y\":32,\"w\":13,\"h\":21,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":21,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - NTLM","version":1},"id":"022713e0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"panel_2","type":"search"},{"id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCEx7xQT5EBNmq4Vf","name":"panel_8","type":"visualization"},{"id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"c23ea470-0edc-11e9-9846-59f545e7293f","name":"panel_10","type":"visualization"},{"id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","name":"panel_11","type":"visualization"},{"id":"2a054320-0edd-11e9-9846-59f545e7293f","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwLDFd"} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.category:network\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Network Data","version":1},"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"0242ab70-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Files","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Strelka](/kibana/app/kibana#/dashboard/ff689c50-75f3-11ea-9565-7315f4ee5cac) \\n[Zeek](/kibana/app/kibana#/dashboard/ad4d5d60-75f4-11ea-9565-7315f4ee5cac)\"},\"aggs\":[]}"},"id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Log Count Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-29T18:17:18.800Z\",\"max\":\"2020-03-30T18:17:18.800Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modules","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Modules\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}]}"},"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Total Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Total Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.bytes.total: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.bytes.total\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Total Bytes\"}}]}"},"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mime_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.mime_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:file*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\"},\"panelIndex\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":15,\"h\":7,\"i\":\"d09eef70-f2b5-4085-b619-11cae812be58\"},\"panelIndex\":\"d09eef70-f2b5-4085-b619-11cae812be58\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":7,\"i\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\"},\"panelIndex\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":20,\"i\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\"},\"panelIndex\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":7,\"w\":8,\"h\":20,\"i\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\"},\"panelIndex\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":7,\"w\":10,\"h\":20,\"i\":\"7875de58-924b-4b27-bd51-159b5657659f\"},\"panelIndex\":\"7875de58-924b-4b27-bd51-159b5657659f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":7,\"w\":10,\"h\":20,\"i\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\"},\"panelIndex\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":7,\"w\":12,\"h\":20,\"i\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\"},\"panelIndex\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Files","version":1},"id":"0245be10-6ec1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4LDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSL - Logs","version":1},"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Version (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Version (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"02699580-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3OCwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_sip\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SIP - Logs","version":1},"id":"9e131480-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_msg.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}"},"id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3NiwxXQ=="} -{"attributes":{"columns":["osquery.columns.permissions","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome* AND osquery.columns.permissions:('all_urls','privacy')\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions - Sensitive Permissions","version":1},"id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2NiwxXQ=="} -{"attributes":{"columns":["osquery.hostname","osquery.columns.username","osquery.LiveQuery","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions","version":1},"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Changes by Hostname","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.protocol:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Top Network Protocols","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Top Network Protocols\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Transport","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category: network\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\"},\"panelIndex\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":14,\"h\":9,\"i\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\"},\"panelIndex\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":27,\"y\":0,\"w\":21,\"h\":9,\"i\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\"},\"panelIndex\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":13,\"h\":19,\"i\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\"},\"panelIndex\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":12,\"h\":19,\"i\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\"},\"panelIndex\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":19,\"i\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\"},\"panelIndex\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":9,\"w\":11,\"h\":19,\"i\":\"3d3199e1-d839-4738-bc99-e030365b7070\"},\"panelIndex\":\"3d3199e1-d839-4738-bc99-e030365b7070\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Network","version":1},"id":"04ff3ef0-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyLDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"event_type:bro_conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Connections - Logs","version":1},"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Missed Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Missed Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"missed_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Missed Bytes\"}}],\"listeners\":{}}"},"id":"05088150-3670-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.path.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.path.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Path\"}}]}"},"id":"052df440-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - GID/SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - GID/SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"GID\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"SID\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.rev: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.gid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"GID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SID\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.rev\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revision\"}}]}"},"id":"053f7130-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Originator Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Originator Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"original_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2NywxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Logs","version":1},"id":"84116380-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwMywxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ftp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"FTP - Logs","version":1},"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"06f21d60-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Query","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.query.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.query.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query\"}}]}"},"id":"07065340-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyMiwxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_intel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Intel - Logs","version":1},"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Indicator Type (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Intel - Indicator Type (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Indicator Type\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"indicator_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator Type\"}}]}"},"id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwMSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_mysql\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"MySQL - Logs","version":1},"id":"5d624230-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_command.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_argument.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - HTTP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SHA256","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SHA256\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.hash.sha256.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.sha256.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3NSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssh\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSH - Logs","version":1},"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSH - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Hash - MD5","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Hash - MD5\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.md5.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MD5\"}}]}"},"id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3OCwxXQ=="} -{"attributes":{"columns":["source_ip","syslog-host_from","syslog-priority"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (All) - Logs","version":1},"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Host From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Host From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Host (From)\"}}],\"listeners\":{}}"},"id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2NSwxXQ=="} -{"attributes":{"columns":["host","certificate_subject","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"X.509 - Logs","version":1},"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_issuer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzMiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rdp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RDP - Logs","version":1},"id":"823dd600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Certificate Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Certificate Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.certificate_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.certificate_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzNiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Logs","version":1},"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query_type_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}"},"id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"radius.reply_message.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"radius.reply_message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"}}]}"},"id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzMywxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:conn\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Connections","version":1},"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connections Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date_range\",\"params\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"params\":{},\"label\":\"@timestamp date ranges\",\"aggType\":\"date_range\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"34721460-6ebc-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"connection.state.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"State\"}}]}"},"id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Client Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Client Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Client Bytes\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Bytes\"}}]}"},"id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Bytes\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Bytes\"}}]}"},"id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - History","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - History\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.history.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"History\"}}]}"},"id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:conn\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\"},\"panelIndex\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":13,\"h\":9,\"i\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\"},\"panelIndex\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":9,\"i\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\"},\"panelIndex\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":11,\"h\":18,\"i\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\"},\"panelIndex\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":9,\"w\":12,\"h\":18,\"i\":\"5558d00d-f3fd-4051-96a4-384134149228\"},\"panelIndex\":\"5558d00d-f3fd-4051-96a4-384134149228\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":9,\"w\":13,\"h\":18,\"i\":\"ccdbd90c-299e-4e60-a139-1505f1329071\"},\"panelIndex\":\"ccdbd90c-299e-4e60-a139-1505f1329071\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":18,\"i\":\"d678bf2f-f183-4981-9142-976880029daa\"},\"panelIndex\":\"d678bf2f-f183-4981-9142-976880029daa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":6,\"y\":27,\"w\":11,\"h\":18,\"i\":\"598bda31-1136-4474-9384-451491a71d23\"},\"panelIndex\":\"598bda31-1136-4474-9384-451491a71d23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":27,\"w\":12,\"h\":18,\"i\":\"8192def5-399b-4728-8646-edf393b63b7e\"},\"panelIndex\":\"8192def5-399b-4728-8646-edf393b63b7e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":27,\"w\":13,\"h\":18,\"i\":\"755322ff-13a8-4121-a2db-6322c037e8b3\"},\"panelIndex\":\"755322ff-13a8-4121-a2db-6322c037e8b3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - Connections","version":1},"id":"0cc628b0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"34721460-6ebc-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_7","type":"visualization"},{"id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwLDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_modbus\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Modbus - Logs","version":1},"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Modbus - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5NiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_weird\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Weird - Logs","version":1},"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over TIme\",\"type\":\"line\"}"},"id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwNywxXQ=="} -{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[{\"meta\":{\"negate\":false,\"key\":\"tags\",\"value\":\"alert\",\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"tags\":{\"query\":\"alert\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Alerts","version":1},"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Alert Level (Pie Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Alert Level (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"alert_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Alert Level\"}}]}"},"id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG4pcDxQT5EBNmq3pi","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Event Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Event Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Description\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"Username\"}}]}"},"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - User to Escalated User (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - User to Escalated User (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"escalated_user.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Escalated User\"}}]}"},"id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Command (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Command (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Process and Username (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Process and Username (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Process\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"h\":60,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":28,\"i\":\"6\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"h\":56,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":88},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"h\":28,\"i\":\"13\",\"w\":24,\"x\":8,\"y\":8},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":36},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"gridData\":{\"h\":28,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"spy\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"16\",\"w\":24,\"x\":8,\"y\":36},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"OSSEC Alerts","version":1},"id":"0de7a390-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","name":"panel_2","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_4","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"},{"id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5LDFd"} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_snmp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SNMP - Logs","version":1},"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Alert Data","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alert Data\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Suricata](/kibana/app/kibana#/dashboard/81057f40-7733-11ea-bee5-af7f7c7b8e05) \\n[Zeek](/kibana/app/kibana#/dashboard/fa9ed760-7734-11ea-bee5-af7f7c7b8e05) \\n[Wazuh](/kibana/app/kibana#/dashboard/9480f190-7732-11ea-bee5-af7f7c7b8e05)\"},\"aggs\":[]}"},"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwLDFd"} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:alert\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Alerts","version":1},"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzczLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Severity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Severity\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}]}"},"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Category","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Category\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}}]}"},"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc3LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"w\":25,\"x\":23,\"y\":0},\"panelIndex\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"w\":29,\"x\":0,\"y\":8},\"panelIndex\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"w\":19,\"x\":29,\"y\":8},\"panelIndex\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"w\":19,\"x\":0,\"y\":27},\"panelIndex\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"w\":10,\"x\":19,\"y\":27},\"panelIndex\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"w\":10,\"x\":29,\"y\":27},\"panelIndex\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"799598a4-39de-455d-bc39-409466b8b119\",\"w\":9,\"x\":39,\"y\":27},\"panelIndex\":\"799598a4-39de-455d-bc39-409466b8b119\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Alerts","version":1},"id":"0e4af1d0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","name":"panel_1","type":"visualization"},{"id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc4LDFd"} -{"attributes":{"columns":["event_type","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:sysmon\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon - Logs","version":1},"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source Hostname\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Hostname\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.client.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwNiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Logs","version":1},"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzc5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors/Devices - Total Number of Logs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices - Total Number of Logs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}}]}"},"id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Direction","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Direction\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.direction.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.direction.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Direction\"}}]}"},"id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwOCwxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","message_types","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dhcp\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DHCP - Logs","version":1},"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"1055ada0-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzNywxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dce_rpc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DCE/RPC - Logs","version":1},"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4MiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_radius\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RADIUS - Logs","version":1},"id":"75545310-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}"},"id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Logstash - Processing Performance","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Processing Performance\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Log Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Average processing time\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Standard Deviation of logstash_time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"customLabel\":\"Average processing time\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"size\":20,\"orderAgg\":{\"id\":\"2-orderAgg\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"orderAgg\",\"params\":{\"field\":\"logstash_time\"}},\"order\":\"desc\",\"orderBy\":\"custom\",\"customLabel\":\"Log Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"std_dev\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgwLDFd"} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Errors","version":1},"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Logstash - Error Type (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Error Type (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tags.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"\",\"include\":\"_csvparsefailure|_grokparsefailure|_rubyexception\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzgzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Avg Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Avg Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"AWDHIynExQT5EBNmq49q","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Median Processing TIme","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Median Processing TIme\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"median\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"percents\":[50]}}],\"listeners\":{}}"},"id":"AWDHJY1BxQT5EBNmq5Ay","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Max Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Max Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"AWDHJpuBxQT5EBNmq5Cr","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Error Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Error Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHKEF2xQT5EBNmq5FA","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors/Devices and Services","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices and Services\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg4LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":12,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":28,\"x\":8,\"y\":36,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":64,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":8,\"h\":64,\"x\":0,\"y\":0,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":88,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":16,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":24,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":32,\"y\":0,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"w\":28,\"h\":28,\"x\":20,\"y\":36,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Stats","version":1},"id":"130017f0-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","name":"panel_0","type":"visualization"},{"id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","name":"panel_1","type":"visualization"},{"id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","name":"panel_2","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_3","type":"visualization"},{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"panel_4","type":"search"},{"id":"AWDHIynExQT5EBNmq49q","name":"panel_5","type":"visualization"},{"id":"AWDHJY1BxQT5EBNmq5Ay","name":"panel_6","type":"visualization"},{"id":"AWDHJpuBxQT5EBNmq5Cr","name":"panel_7","type":"visualization"},{"id":"AWDHKEF2xQT5EBNmq5FA","name":"panel_8","type":"visualization"},{"id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzg5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"1342e630-4632-11e7-9903-85f789353078","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}}]}"},"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Connection State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection_state_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection State Description\"}}],\"listeners\":{}}"},"id":"13fe29c0-3b17-11e7-b871-5f76306b9694","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyMiwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rfb\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RFB - Logs","version":1},"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Exclusive Session (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RFB - Exclusive Session (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"share_flag.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"14274040-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agents","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agents\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.type.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.version.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"id":"14ed9540-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Length (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Length (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_key_length\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Key Length\"}}],\"listeners\":{}}"},"id":"150f7280-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"1563f380-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4MSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"(event_type:bro_smb_mapping OR event_type:bro_smb_files)\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMB - Logs","version":1},"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Server Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Server Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Address\"}}]}"},"id":"15fa3b30-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"178209e0-6e1b-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"19dfd180-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5MSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event_type:ids\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NIDS - Alerts","version":1},"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Alert Title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Alert Title\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":12}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"alert.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}}]}"},"id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Source IP Address","uiStateJSON":"{\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"1b837b00-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Total Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2MywxXQ=="} -{"attributes":{"columns":["entry","entry_location","image_path","hostname","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:autoruns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Autoruns - Logs","version":1},"id":"dd700830-6d69-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Profile","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Profile\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"profile.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Profile\"}}],\"listeners\":{}}"},"id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"ElastAlert - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzkxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Alert Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Alert Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert_info.type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert Type\"}}],\"listeners\":{}}"},"id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzkyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Rule","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Rule\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule_name\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Rule\"}}],\"listeners\":{}}"},"id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzkzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.source_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk2LDFd"} -{"attributes":{"columns":["rule_name","matches","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"ElastAlert","version":1},"id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Elastalert - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Elastalert - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG7DVRxQT5EBNmq3zM","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk4LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"4\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":48,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"columns\":[\"rule_name\",\"matches\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"ElastAlert","version":1},"id":"1d98d620-7dce-11e7-846a-150cdcaf3374","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","name":"panel_1","type":"visualization"},{"id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","name":"panel_2","type":"visualization"},{"id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_3","type":"visualization"},{"id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_4","type":"visualization"},{"id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_5","type":"visualization"},{"id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_6","type":"visualization"},{"id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_7","type":"search"},{"id":"AWDG7DVRxQT5EBNmq3zM","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"Wzk5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"id":"1ef5c230-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.command.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.argument.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Argument\"}}]}"},"id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"id":"214793c0-75b9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Response Code (Name)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rcode_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}"},"id":"22f7de30-4949-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0NywxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","resp_fuids","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_http\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"HTTP - Logs","version":1},"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"37f19e40-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Sites","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"\\\"application/x-dosexec\\\"\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Sites Hosting EXEs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - URIs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"id":"ae591c20-4164-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Referrer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"referrer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - MIME Type (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - MIME Type (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":40},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"resp_mime_types.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"934fe550-6e08-11e7-9370-174c4785d3e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Port (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Country (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG97t7xQT5EBNmq4E1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Status and Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_message.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Status Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"method.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}]}"},"id":"66faa650-4c99-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":52,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":88,\"w\":48,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":112,\"w\":48,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":0,\"y\":136,\"w\":48,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":216,\"w\":48,\"h\":36,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"resp_fuids\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":0,\"y\":52,\"w\":24,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":24,\"y\":52,\"w\":24,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":0,\"y\":188,\"w\":48,\"h\":28,\"i\":\"16\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":160,\"w\":48,\"h\":28,\"i\":\"17\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"19\",\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":12,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"20\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"23\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"23\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"24\",\"gridData\":{\"x\":8,\"y\":28,\"w\":40,\"h\":24,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - HTTP","version":1},"id":"230134a0-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"37f19e40-34c6-11e7-8360-0b86c90983fd","name":"panel_1","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_2","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_3","type":"visualization"},{"id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","name":"panel_4","type":"visualization"},{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_6","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"ae591c20-4164-11e7-9850-b78558d0ac17","name":"panel_8","type":"visualization"},{"id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","name":"panel_9","type":"visualization"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_10","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_11","type":"visualization"},{"id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"AWDG97t7xQT5EBNmq4E1","name":"panel_13","type":"visualization"},{"id":"66faa650-4c99-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Validation Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}"},"id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Connections - Bytes and Duration","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Bytes and Duration\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Top Total Bytes](/kibana/app/kibana#/dashboard/a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b) \\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/68f738e0-46ca-11e7-946f-1bfb1be7c36b) | [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/b65775e0-46cb-11e7-946f-1bfb1be7c36b) \\n[Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f042ad60-46c6-11e7-946f-1bfb1be7c36b) | [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/ccfcc540-4638-11e7-a82e-d97152153689) \\n[Source - Top Connection Duration](/kibana/app/kibana#/dashboard/4e108070-46c7-11e7-946f-1bfb1be7c36b) | [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/ea211360-46c4-11e7-a82e-d97152153689)\",\"fontSize\":12,\"openLinksInNewTab\":false},\"aggs\":[]}"},"id":"25ce6eb0-463b-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyMywxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_tunnels\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Tunnels - Logs","version":1},"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxNiwxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (Bro) - Logs","version":1},"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Connections - Service By Destination Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"id":"277f3250-4161-11e7-8493-51634b0a4565","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Result","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"radius.result.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}"},"id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_argument.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"id":"e1907430-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Reply Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Reply Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"reply_message.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply Message\"}}],\"listeners\":{}}"},"id":"adcd38e0-3679-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Reply Code","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Reply Code\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"reply_code.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"a0cb0860-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzExOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"cf9e5660-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f1d3d070-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"id":"f9904390-3bff-11e7-be35-e7fc4052ff75","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"FTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9sT_xQT5EBNmq4DI","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":20,\"y\":8,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":32,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - FTP","version":1},"id":"27f3b380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"06f21d60-35b6-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"e1907430-35b6-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"adcd38e0-3679-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"a0cb0860-367a-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"cf9e5660-367a-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"f1d3d070-367a-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"f9904390-3bff-11e7-be35-e7fc4052ff75","name":"panel_7","type":"visualization"},{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"panel_8","type":"search"},{"id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","name":"panel_9","type":"visualization"},{"id":"AWDG9sT_xQT5EBNmq4DI","name":"panel_10","type":"visualization"},{"id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyNiwxXQ=="} -{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Logs","version":1},"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Key Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Key Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.basic_constraints.ca: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"2895c940-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0MCwxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:http\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - HTTP","version":1},"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Virtual Host","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Virtual Host\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.virtual_host.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Virtual Host\"}}]}"},"id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top Source IPs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top Source IPs\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3NCwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","request_type","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_kerberos\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Kerberos - Logs","version":1},"id":"452daa10-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"CLient\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwNSwxXQ=="} -{"attributes":{"columns":["file_ip","destination_ip","source","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_files\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Files - Logs","version":1},"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Target Filename","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Target Filename\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"target_filename.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Filename\"}}],\"listeners\":{}}"},"id":"29611940-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"296823d0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxOCwxXQ=="} -{"attributes":{"columns":["action","reason","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:firewall\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Firewall - Logs","version":1},"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Action/Reason (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Action/Reason (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Action\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"reason.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reason\"}}],\"listeners\":{}}"},"id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dhcp.lease_time: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.lease_time\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"id":"2af5f980-96e2-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Client/Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"6571ee10-3584-11e7-a588-05992195c551","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Files By Size (Bytes)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"seen_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}"},"id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEyOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}"},"id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - MIME Type (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - MIME Type (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mimetype.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}"},"id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"aa021c90-3678-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Files - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9goqxQT5EBNmq4BP","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}"},"id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"file_ip\",\"destination_ip\",\"source\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Files","version":1},"id":"2d315d80-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"6571ee10-3584-11e7-a588-05992195c551","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","name":"panel_3","type":"visualization"},{"id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","name":"panel_4","type":"visualization"},{"id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","name":"panel_5","type":"visualization"},{"id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"aa021c90-3678-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"AWDG9goqxQT5EBNmq4BP","name":"panel_8","type":"visualization"},{"id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Request Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Request Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.request_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"}}]}"},"id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Content Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Content Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"content_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"2db47070-3754-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - SAN DNS","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - SAN DNS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.san_dns.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.san_dns.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SAN DNS\"}}]}"},"id":"47f40770-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzEzOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:x509\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":8,\"i\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\"},\"panelIndex\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":8,\"i\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\"},\"panelIndex\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\"},\"panelIndex\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":21,\"h\":21,\"i\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\"},\"panelIndex\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":8,\"w\":27,\"h\":21,\"i\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\"},\"panelIndex\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":29,\"w\":27,\"h\":18,\"i\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\"},\"panelIndex\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":29,\"w\":21,\"h\":18,\"i\":\"007d1727-a948-4770-96c8-a5f130261cf8\"},\"panelIndex\":\"007d1727-a948-4770-96c8-a5f130261cf8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - X509","version":1},"id":"2e0865f0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","name":"panel_4","type":"visualization"},{"id":"47f40770-75ef-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"2895c940-75ef-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.cookie.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.cookie.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Cookie\"}}]}"},"id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Entry","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Entry\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry_location.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry Location\"}}],\"listeners\":{}}"},"id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:files\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Analyzer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Analyzer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.analyzer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.analyzer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Analyzer\"}}]}"},"id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3OSwxXQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dnp3\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNP3 - Logs","version":1},"id":"c2587840-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNP3 - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"593f1850-3581-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9DWvxQT5EBNmq3-m","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Request","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_request.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request\"}}]}"},"id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_reply.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply\"}}]}"},"id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE0OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":12,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":20,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":32,\"y\":32,\"w\":16,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DNP3","version":1},"id":"2fdf5bf0-3581-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"593f1850-3581-11e7-98ef-19df58fe538b","name":"panel_1","type":"visualization"},{"id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG9DWvxQT5EBNmq3-m","name":"panel_6","type":"visualization"},{"id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Seen (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"Intel - Seen (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"seen_where.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Seen (Where)\"}}]}"},"id":"3013af40-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Authentication Result","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File/Path Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"action.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"id":"306c4330-4175-11e7-a0f7-47f4c03e3306","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}]}"},"id":"3072c750-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Navigation\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Event Category** \\n[Alert](/kibana/app/kibana#/dashboard/0e4af1d0-72ae-11ea-8dd2-9d8795a1200b) | \\n[File](/kibana/app/kibana#/dashboard/0245be10-6ec1-11ea-9266-1fd14ca6af34) |\\n[Host](/kibana/app/kibana#/dashboard/92e63cc0-6ec0-11ea-9266-1fd14ca6af34) | [Network](/kibana/app/kibana#/dashboard/04ff3ef0-6ea4-11ea-9266-1fd14ca6af34) \"},\"aggs\":[]}"},"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1MSwxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - All Logs","version":1},"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1MiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":8,\"i\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\"},\"panelIndex\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":0,\"w\":16,\"h\":8,\"i\":\"77c5d557-83e4-40b9-9177-388db29d711d\"},\"panelIndex\":\"77c5d557-83e4-40b9-9177-388db29d711d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":8,\"i\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\"},\"panelIndex\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"54873f75-4452-4938-840d-3a2f50547a88\"},\"panelIndex\":\"54873f75-4452-4938-840d-3a2f50547a88\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":13,\"h\":19,\"i\":\"30749cb6-18ad-4069-b18d-5912086fff9c\"},\"panelIndex\":\"30749cb6-18ad-4069-b18d-5912086fff9c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":8,\"w\":13,\"h\":19,\"i\":\"7c498d50-d009-493a-a8c9-c91303ad5556\"},\"panelIndex\":\"7c498d50-d009-493a-a8c9-c91303ad5556\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":19,\"i\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\"},\"panelIndex\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":31,\"i\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\"},\"panelIndex\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Indicator","version":1},"id":"30d0ac90-729f-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"312cd460-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.server_major_version.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"317f8410-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Action (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Action (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"},"id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5NSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_irc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"IRC - Logs","version":1},"id":"344c6010-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Severity (Horizontal Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Severity (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Severity\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"severity.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Severity\"}}],\"listeners\":{}}"},"id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Share Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Share Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.share_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"34762420-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Intel - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Change Type\"}}]}"},"id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"id":"3753e110-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - IRC - Command Info","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - IRC - Command Info\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.command.info.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc.command.info.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Info\"}}]}"},"id":"db279540-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - User Command Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - User Command Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.nickname.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Command Type\",\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.username.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.username.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.nickname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.command.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Type\"}}]}"},"id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:irc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"w\":16,\"x\":13,\"y\":0},\"panelIndex\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"w\":8,\"x\":0,\"y\":8},\"panelIndex\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"w\":9,\"x\":8,\"y\":8},\"panelIndex\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"w\":15,\"x\":17,\"y\":8},\"panelIndex\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - IRC","version":1},"id":"38523560-75ba-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db279540-75bb-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary - Drilldown","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary - Drilldown\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1MSwxXQ=="} -{"attributes":{"columns":["message"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:ossec_archive\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Archive","version":1},"id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE1OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHXl3xQT5EBNmq42U","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2MCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":8,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"message\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"OSSEC","version":1},"id":"3a457d70-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_2","type":"search"},{"id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHHXl3xQT5EBNmq42U","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.response.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Image","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Sysmon - Image\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parent_image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Parent Image\"}}]}"},"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Priority (Vertical bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Priority (Vertical bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Priority\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog-priority.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}]}"},"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.action.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"3e6037d0-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agent - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agent - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Source IP","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Source IP\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}}]}"},"id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyOSwxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:creation_date AND creation_date:[now-3M TO now]\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Domains with creation date < 3 months","version":1},"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Baby Domain Requests","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Baby Domain Requests\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"creation_date\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\"}}],\"listeners\":{}}"},"id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"snmp.community.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"snmp.community.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Community String\"}}]}"},"id":"424ace90-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}"},"id":"42b17660-4a47-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 10 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-sourceip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHKVLMxQT5EBNmq5HX","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":24,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":24,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":60,\"x\":0,\"y\":48,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"syslog-host_from\",\"syslog-priority\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Syslog","version":1},"id":"4323af90-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_1","type":"visualization"},{"id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_2","type":"visualization"},{"id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_3","type":"visualization"},{"id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_4","type":"visualization"},{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"panel_5","type":"search"},{"id":"AWDHKVLMxQT5EBNmq5HX","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"certificate_key_algorithm.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}],\"listeners\":{}}"},"id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Least Common HTTP Methods","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Least Common HTTP Methods\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":13,\"maxFontSize\":39,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"asc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}"},"id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - UserAgent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - UserAgent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"UserAgent\"}}]}"},"id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.uri.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"URI\"}}]}"},"id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:http\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\"},\"panelIndex\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\"},\"panelIndex\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\"},\"panelIndex\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":18,\"i\":\"377e3099-7aec-474c-9201-2f1845c58d24\"},\"panelIndex\":\"377e3099-7aec-474c-9201-2f1845c58d24\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\"},\"panelIndex\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\"},\"panelIndex\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":23,\"h\":18,\"i\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\"},\"panelIndex\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":11,\"h\":18,\"i\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\"},\"panelIndex\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":27,\"w\":10,\"h\":18,\"i\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\"},\"panelIndex\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":18,\"i\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\"},\"panelIndex\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - HTTP","version":1},"id":"44e9c820-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","name":"panel_7","type":"visualization"},{"id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE3OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"function.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Function\"}}]}"},"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Category","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Category\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Category\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}]}"},"id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Class (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Query Class (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"query_class_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Class\"}}]}"},"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1OSwxXQ=="} -{"attributes":{"columns":["message","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_pe\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"PE - Logs","version":1},"id":"66288140-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - OS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - OS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"os.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.server.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.server.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}}]}"},"id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}"},"id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}"},"id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}"},"id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Round Trip Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}"},"id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG8k4OxQT5EBNmq37a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE4OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DCE/RPC","version":1},"id":"46582d50-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_2","type":"visualization"},{"id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_8","type":"visualization"},{"id":"AWDG8k4OxQT5EBNmq37a","name":"panel_9","type":"visualization"},{"id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"42b17660-4a47-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sources.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}],\"listeners\":{}}"},"id":"613de590-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a5571030-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Indicator","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Indicator\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"indicator.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator\"}}],\"listeners\":{}}"},"id":"6380b430-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"af614b80-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Matched","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"matched.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}"},"id":"c8540380-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzE5OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Intel - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG-Qf8xQT5EBNmq4G5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwMiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - Intel","version":1},"id":"468022c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"3013af40-399b-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"613de590-399b-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"a5571030-399b-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"6380b430-399c-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"af614b80-399c-11e7-8472-0151e5b2b475","name":"panel_7","type":"visualization"},{"id":"c8540380-399c-11e7-8472-0151e5b2b475","name":"panel_8","type":"visualization"},{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","name":"panel_10","type":"visualization"},{"id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","name":"panel_11","type":"visualization"},{"id":"AWDG-Qf8xQT5EBNmq4G5","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Category","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Autoruns - Category\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Category\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}],\"listeners\":{}}"},"id":"482be9b0-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.service.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"id":"48331f00-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Request From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Request From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.request.from.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.request.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request From\"}}]}"},"id":"49384710-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.transport:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Network - Transport","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Transport\"}}]}"},"id":"499a0690-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"}}]}"},"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Protocol (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Protocol (Donut Chart)\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Request Type (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Request Type (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"request_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Type\"}}]}"},"id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IPs\"}}]}"},"id":"4adca340-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:google.com~ -highest_registered_domain:google.com AND highest_registered_domain:youtube.com~ -highest_registered_domain:youtube.com AND highest_registered_domain:facebook.com~ -highest_registered_domain:facebook.com AND highest_registered_domain:wikipedia.org~ -highest_registered_domain:wikipedia.org AND highest_registered_domain:google.co.in~ -highest_registered_domain:google.co.in AND highest_registered_domain:reddit.com~ -highest_registered_domain:reddit.com AND highest_registered_domain:amazon.com~ -highest_registered_domain:amazon.com AND highest_registered_domain:taobao.com~ -highest_registered_domain:taobao.com AND highest_registered_domain:twitter.com~ -highest_registered_domain:twitter.com AND highest_registered_domain:google.co.jp~ -highest_registered_domain:google.co.jp AND highest_registered_domain:instagram.com~ -highest_registered_domain:instagram.com AND highest_registered_domain:sina.com.cn~ -highest_registered_domain:sina.com.cn AND highest_registered_domain:google.co.uk~ -highest_registered_domain:google.co.uk AND highest_registered_domain:linkedin.com~ -highest_registered_domain:linkedin.com AND highest_registered_domain:list.tmall.com~ -highest_registered_domain:list.tmall.com AND highest_registered_domain:google.com.br~ -highest_registered_domain:google.com.br AND highest_registered_domain:google.com.hk~ -highest_registered_domain:google.com.hk AND highest_registered_domain:netflix.com~ -highest_registered_domain:netflix.com AND highest_registered_domain:yahoo.co.jp~ -highest_registered_domain:yahoo.co.jp AND highest_registered_domain:pornhub.com~ -highest_registered_domain:pornhub.com AND highest_registered_domain:xvideos.com~ -highest_registered_domain:xvideos.com AND highest_registered_domain:microsoft.com~ -highest_registered_domain:microsoft.com AND highest_registered_domain:livejasmin.com~ -highest_registered_domain:livejasmin.com AND highest_registered_domain:aliexpress.com~ -highest_registered_domain:aliexpress.com AND highest_registered_domain:stackoverflow.com~ -highest_registered_domain:stackoverflow.com AND highest_registered_domain:wordpress.com~ -highest_registered_domain:wordpress.com AND highest_registered_domain:hao123.com~ -highest_registered_domain:hao123.com AND highest_registered_domain:github.com~ -highest_registered_domain:github.com AND highest_registered_domain:amazon.co.jp~ -highest_registered_domain:amazon.co.jp AND highest_registered_domain:blogspot.com~ -highest_registered_domain:blogspot.com AND highest_registered_domain:pinterest.com~ -highest_registered_domain:pinterest.com AND highest_registered_domain:bongacams.com~ -highest_registered_domain:bongacams.com AND highest_registered_domain:google.com.tr~ -highest_registered_domain:google.com.tr AND highest_registered_domain:popads.net~ -highest_registered_domain:popads.net AND highest_registered_domain:paypal.com~ -highest_registered_domain:paypal.com AND highest_registered_domain:office.com~ -highest_registered_domain:office.com AND highest_registered_domain:google.com.tw~ -highest_registered_domain:google.com.tw AND highest_registered_domain:google.com.au~ -highest_registered_domain:google.com.au AND highest_registered_domain:whatsapp.com~ -highest_registered_domain:whatsapp.com AND highest_registered_domain:microsoftonline.com~ -highest_registered_domain:microsoftonline.com\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Alexa Top Sites","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"Edit this to reflect your domain(s)\",\"width\":0.9},\"type\":\"meter\",\"alignment\":\"horizontal\"}},\"title\":\"DNS - Phishing Attempts Against Alexa Top Sites\",\"type\":\"gauge\"}"},"id":"4d89e140-6f09-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Source - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[14.604847155053898,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Top Connection Duration","version":1},"id":"4e108070-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Section Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Section Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"section_names.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - IP to MAC Assignment","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"assigned_ip.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"4e877100-4a48-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":false}","panelsJSON":"[]","timeRestore":false,"title":"OSSEC","version":1},"id":"4f6f3440-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"id":"4fade7b0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Process Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process Name\"}}]}"},"id":"4fe16b60-72bd-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"c3a06740-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"df06de60-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Protocol","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Protocol\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ipv4_protocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Firewall - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHH3kBxQT5EBNmq459","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":60,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":36,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":36,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":16,\"x\":32,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":24,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":60,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"columns\":[\"action\",\"reason\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Firewall","version":1},"id":"50173bd0-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"c3a06740-6d75-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"df06de60-6d75-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","name":"panel_4","type":"visualization"},{"id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","name":"panel_6","type":"visualization"},{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"panel_7","type":"search"},{"id":"AWDHH3kBxQT5EBNmq459","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File Size","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File Size\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.size: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.size\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Size\"}}]}"},"id":"50b4c880-72df-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"524e13b0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.answers.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.answers.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Answer\"}}]}"},"id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"53824da0-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2MSwxXQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_smtp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMTP - Logs","version":1},"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Webmail - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - Webmail - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Webmail\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"is_webmail.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Webmail\"}}],\"listeners\":{}}"},"id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Tree","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Tree\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.server.tree.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.tree.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Tree\"}}]}"},"id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Netbios\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"DNS\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.nb.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NetBIOS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.dns.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"DNS\"}}]}"},"id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIxOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ntlm\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\"},\"panelIndex\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\"},\"panelIndex\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d32748d9-d47b-41bb-ab9f-b59817230998\"},\"panelIndex\":\"d32748d9-d47b-41bb-ab9f-b59817230998\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\"},\"panelIndex\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"4a50def3-c905-4493-b352-59741d68326e\"},\"panelIndex\":\"4a50def3-c905-4493-b352-59741d68326e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":10,\"h\":18,\"i\":\"075d7365-e106-4a1e-b003-bab7abbb7146\"},\"panelIndex\":\"075d7365-e106-4a1e-b003-bab7abbb7146\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":9,\"w\":9,\"h\":18,\"i\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\"},\"panelIndex\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"f93042fa-bdd7-495f-af7b-eec95073e015\"},\"panelIndex\":\"f93042fa-bdd7-495f-af7b-eec95073e015\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - NTLM","version":1},"id":"558292e0-75c1-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Response Code Name","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Response Code Name\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.response.code_name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"a9bd4090-72b9-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dns\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\"},\"panelIndex\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\"},\"panelIndex\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\"},\"panelIndex\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":19,\"i\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\"},\"panelIndex\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":19,\"i\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\"},\"panelIndex\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":8,\"h\":19,\"i\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\"},\"panelIndex\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":9,\"w\":22,\"h\":19,\"i\":\"bf16d99c-68ac-41ea-8047-04e7c363dce3\"},\"panelIndex\":\"bf16d99c-68ac-41ea-8047-04e7c363dce3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":21,\"i\":\"e41240ec-8024-4f3f-9de0-869622470e4d\"},\"panelIndex\":\"e41240ec-8024-4f3f-9de0-869622470e4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":21,\"i\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\"},\"panelIndex\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - DNS","version":1},"id":"55ac6bf0-6ec4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"a9bd4090-72b9-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"07065340-72ba-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"IRC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"85b1f890-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"e4615200-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"IRC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_HoKxQT5EBNmq4KN","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.city_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzMiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - IRC","version":1},"id":"56a34ce0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"85b1f890-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"e4615200-35b7-11e7-a994-c528746bc6e8","name":"panel_3","type":"visualization"},{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG_HoKxQT5EBNmq4KN","name":"panel_6","type":"visualization"},{"id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"lease_time.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"id":"58c84f60-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Log Count By Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Devices - Log Count By Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Device\"}}]}"},"id":"5b3988c0-a840-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Client Build","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Client Build\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.client_build.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.client_build.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Build\"}}]}"},"id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Security Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Security Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.security_protocol.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.security_protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"id":"dad85840-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rdp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"w\":16,\"x\":13,\"y\":0},\"panelIndex\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"w\":9,\"x\":0,\"y\":8},\"panelIndex\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"w\":9,\"x\":9,\"y\":8},\"panelIndex\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"w\":7,\"x\":18,\"y\":8},\"panelIndex\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"w\":7,\"x\":25,\"y\":8},\"panelIndex\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"w\":7,\"x\":32,\"y\":8},\"panelIndex\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"w\":9,\"x\":39,\"y\":8},\"panelIndex\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - RDP","version":1},"id":"5b743150-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"dad85840-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzIzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Nodes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Nodes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"5cba9760-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Major Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Connection Information","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connect_info.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}"},"id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"id":"5e36c370-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - FIle Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - FIle Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}"},"id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Data Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Data Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Data Type\"}}],\"listeners\":{}}"},"id":"60925490-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Hostname (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":10,\"maxFontSize\":30},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Launch String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Launch String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"launch_string.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Launch String\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}}],\"listeners\":{}}"},"id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Company","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Company\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":36},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"company.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Signer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Signer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"signer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Signer\"}}],\"listeners\":{}}"},"id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Autoruns - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHG1IaxQT5EBNmq4yR","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI0OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":24,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":24,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":24,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":32,\"x\":0,\"y\":120,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"entry\",\"entry_location\",\"image_path\",\"hostname\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Autoruns","version":1},"id":"61d43810-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"482be9b0-6d78-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHG1IaxQT5EBNmq4yR","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.function.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"modbus.function.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}}]}"},"id":"62449800-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"62969db0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"62ac4060-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"desktop_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}"},"id":"63c072c0-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Rule Signature","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Rule Signature\",\"type\":\"table\",\"params\":{\"perPage\":1,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"rule_signature.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"customLabel\":\"NIDS Signature\"}}]}"},"id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Facility","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Syslog - Facility\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.facility.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.facility.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"}}]}"},"id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Syslog - Severity\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.severity.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.severity.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}]}"},"id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1MiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:syslog\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\"},\"panelIndex\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\"},\"panelIndex\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\"},\"panelIndex\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\"},\"panelIndex\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"16f2046a-4417-4e78-9699-65d253db78cb\"},\"panelIndex\":\"16f2046a-4417-4e78-9699-65d253db78cb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":9,\"h\":19,\"i\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\"},\"panelIndex\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":8,\"w\":8,\"h\":19,\"i\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\"},\"panelIndex\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":8,\"w\":11,\"h\":19,\"i\":\"8cf5472b-8421-4577-81ad-2c496b1c71ce\"},\"panelIndex\":\"8cf5472b-8421-4577-81ad-2c496b1c71ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Syslog","version":1},"id":"66499a20-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Query/Answer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}"},"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alerts\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors - Sensor and Services (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sensors - Sensor and Services (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}]}"},"id":"73806f30-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP\"}}]}"},"id":"c0de57b0-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":120,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":144,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":144,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":180,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":180,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":120,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"18\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"hostname\",\"alert_level\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":204,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"20\",\"gridData\":{\"w\":48,\"h\":12,\"x\":0,\"y\":168,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":144,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"22\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"22\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"24\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\"},{\"panelIndex\":\"26\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":0,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_16\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_17\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_18\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Indicator","version":1},"id":"68563ed0-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"60925490-34bf-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_2","type":"visualization"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_4","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_5","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_6","type":"visualization"},{"id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_8","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_10","type":"search"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_11","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_13","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_14","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_15","type":"visualization"},{"id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","name":"panel_16","type":"visualization"},{"id":"73806f30-4948-11e8-9576-313be7c6b44b","name":"panel_17","type":"visualization"},{"id":"c0de57b0-4948-11e8-9576-313be7c6b44b","name":"panel_18","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"689991b0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5MCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[25.16517336866393,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Originator Bytes","version":1},"id":"68f738e0-46ca-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"snmp.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"id":"690ef880-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Weird - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}"},"id":"691ade50-4c85-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"c97cd4c0-35ba-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"710ccbf0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Success Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Success Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"kerberos_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"b31231c0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"f0178840-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Cipher (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Cipher (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cipher.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}],\"listeners\":{}}"},"id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI3OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Renewable","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Renewable\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"renewable.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Renewable\"}}],\"listeners\":{}}"},"id":"bb748470-6e1a-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Kerberos - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_UbkxQT5EBNmq4Lg","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"request_type\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":96,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":96,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - Kerberos","version":1},"id":"6b0d4870-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"c97cd4c0-35ba-11e7-b9ee-834112670159","name":"panel_1","type":"visualization"},{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"710ccbf0-35bb-11e7-b9ee-834112670159","name":"panel_3","type":"visualization"},{"id":"b31231c0-35bb-11e7-b9ee-834112670159","name":"panel_4","type":"visualization"},{"id":"f0178840-35bb-11e7-b9ee-834112670159","name":"panel_5","type":"visualization"},{"id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","name":"panel_6","type":"visualization"},{"id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_7","type":"visualization"},{"id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_8","type":"visualization"},{"id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_9","type":"visualization"},{"id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","name":"panel_10","type":"visualization"},{"id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","name":"panel_11","type":"visualization"},{"id":"bb748470-6e1a-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDG_UbkxQT5EBNmq4Lg","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination Port","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Sysmon - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Event ID (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Event ID (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Event Type\"}}]}"},"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sysmon - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHk1sxQT5EBNmq43Y","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5MywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzI5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1NywxXQ=="} -{"attributes":{"buildNum":29118,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}"},"id":"7.6.1","references":[],"type":"config","updated_at":"2020-06-15T18:49:59.193Z","version":"WzAsMV0="} -{"attributes":{"buildNum":30896,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}"},"id":"7.7.1","references":[],"type":"config","updated_at":"2020-06-15T19:30:22.411Z","version":"WzcwNCwyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwMCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - ChromeExt - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":70}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"id":"71538370-18d5-11e9-932c-d12d2cf4ee95","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Total Bytes Per Source/Destination IP Pair","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_term\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connections - Total Bytes Per Source/Destination IP Pair\",\"type\":\"table\"}"},"id":"726cc040-48cf-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}"},"id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Log Type Per Sensor/Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Log Type Per Sensor/Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type\"}}]}"},"id":"733ce440-494d-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Signing Algorithm","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_signing_algorithm.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}]}"},"id":"738127f0-37d7-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Command","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Command\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ftp.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"d3435690-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - User","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"ftp.user.keyword\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/kibana\",\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\"}}},\"label\":\"ftp.user.keyword: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Security Onion - FTP - User\",\"type\":\"table\"}"},"id":"8346bc70-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Password","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Password\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ftp.password.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.password.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Password\"}}]}"},"id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwNiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ftp\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":13,\"h\":19,\"i\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\"},\"panelIndex\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":8,\"w\":17,\"h\":19,\"i\":\"e244437a-17a5-4e00-9176-f4e88ac54938\"},\"panelIndex\":\"e244437a-17a5-4e00-9176-f4e88ac54938\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":22,\"h\":16,\"i\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\"},\"panelIndex\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":27,\"w\":26,\"h\":16,\"i\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\"},\"panelIndex\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - FTP","version":1},"id":"739bfad0-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"d3435690-755f-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8346bc70-7561-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"From\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mail_from.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}"},"id":"73b1b240-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"id":"73f663f0-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:securityonion.net~ -securityonion.net\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Organizational Domain(s)","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"title\":\"DNS - Phishing Attempts Against Organizational Domain(s)\",\"type\":\"gauge\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"gauge\":{\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"Edit this to reflect your domain(s)\",\"fontSize\":60,\"labelColor\":true},\"alignment\":\"horizontal\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"}}],\"listeners\":{}}"},"id":"74861280-6f06-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cookie.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}"},"id":"75597b60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process CLI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Process CLI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.command_line.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Line\"}}]}"},"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Username\"}"},"id":"767c89f0-af4c-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T21:09:12.842Z","version":"WzcwNiwyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"tunnel.type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"781447d0-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Sensitive Permissions","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Sensitive Permissions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Extension Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.permissions.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Permissions\"}}]}"},"id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"MySQL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHBRrrxQT5EBNmq4TI","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"response.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\"}}]}"},"id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - MySQL","version":1},"id":"7929f430-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHBRrrxQT5EBNmq4TI","name":"panel_4","type":"visualization"},{"id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Name\"}}]}"},"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_http AND _exists_:virtual_host_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Virtual Host Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Virtual Host Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"virtual_host_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Virtual Host\"}}],\"listeners\":{}}"},"id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Authentication Sucess","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Authentication Sucess\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.authentication.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.authentication.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Machine","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"machine.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}"},"id":"7de76e10-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:highest_registered_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Highest Registered Domain Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Highest Registered Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"highest_registered_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Alerts Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a6df8820-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"db04aef0-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Severity (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Severity (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"priority.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMxOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts By Country (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"NIDS - Alerts By Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG3ym0xQT5EBNmq3mG","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Classification","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Classification\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"classification.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Classification\"}}]}"},"id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":120,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":32,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"17\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":44,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"18\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"NIDS","version":1},"id":"7f27a830-34e5-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"a6df8820-399f-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"db04aef0-399f-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_8","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_9","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"7f7492d0-46c4-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.mac.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC\"}}]}"},"id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Requested Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Requested Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.requested_address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requested Address\"}}]}"},"id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Assigned Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Assigned Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.assigned_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned Address\"}}]}"},"id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMyOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Message Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Message Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}]}"},"id":"af26c6e0-96e6-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dhcp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"7e10f47b-2096-452d-9b40-be150226504f\"},\"panelIndex\":\"7e10f47b-2096-452d-9b40-be150226504f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":10,\"h\":9,\"i\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\"},\"panelIndex\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":9,\"i\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\"},\"panelIndex\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":20,\"i\":\"c5565d1e-719c-4401-b886-1ad84638b855\"},\"panelIndex\":\"c5565d1e-719c-4401-b886-1ad84638b855\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":20,\"i\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\"},\"panelIndex\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":20,\"i\":\"bcba795f-8008-4f91-887d-35b5aff11022\"},\"panelIndex\":\"bcba795f-8008-4f91-887d-35b5aff11022\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":7,\"h\":20,\"i\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\"},\"panelIndex\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":9,\"w\":17,\"h\":20,\"i\":\"c3c45ad6-fbbb-40d9-96e4-8bf2006ca138\"},\"panelIndex\":\"c3c45ad6-fbbb-40d9-96e4-8bf2006ca138\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - DHCP","version":1},"id":"80625c10-96dd-11ea-814e-bb515e873c2c","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_3","type":"visualization"},{"id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_4","type":"visualization"},{"id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_5","type":"visualization"},{"id":"2af5f980-96e2-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"af26c6e0-96e6-11ea-814e-bb515e873c2c","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - Subsystem (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Subsystem (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"subsystem.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.success: Descending\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"80aa0c60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.uuid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Rule ID\"}}]}"},"id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:alert AND event.module:suricata\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\"},\"panelIndex\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"67961875-85aa-443b-9cac-130c8783cd8d\"},\"panelIndex\":\"67961875-85aa-443b-9cac-130c8783cd8d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\"},\"panelIndex\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":19,\"h\":20,\"i\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\"},\"panelIndex\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":7,\"w\":9,\"h\":20,\"i\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\"},\"panelIndex\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":7,\"w\":10,\"h\":20,\"i\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\"},\"panelIndex\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":7,\"w\":10,\"h\":20,\"i\":\"2faea405-e4d3-488b-adfa-373b135d2122\"},\"panelIndex\":\"2faea405-e4d3-488b-adfa-373b135d2122\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":16,\"h\":18,\"i\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\"},\"panelIndex\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":27,\"w\":22,\"h\":18,\"i\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\"},\"panelIndex\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":27,\"w\":10,\"h\":18,\"i\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\"},\"panelIndex\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - Alerts - Suricata","version":1},"id":"81057f40-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"},{"id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Response From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Response From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.response.from.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.response.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response From\"}}]}"},"id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"8261cf00-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"community.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}"},"id":"83a91450-4c79-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":true,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-24T15:15:25.819Z\",\"max\":\"2020-03-25T15:15:25.819Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"8491c4b0-6eab-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DHCP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DHCP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG80RwxQT5EBNmq38x","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzMzOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Message Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Message Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message_types.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Types\"}}]}"},"id":"a88e1020-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Domain Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain Name\"}}]}"},"id":"ce859b40-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0MywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":76,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":21,\"y\":52,\"w\":13,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":8,\"y\":52,\"w\":13,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":25,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":null}}}},\"gridData\":{\"x\":34,\"y\":52,\"w\":14,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":33,\"w\":26,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":34,\"y\":33,\"w\":14,\"h\":19,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Bro - DHCP","version":1},"id":"85348270-357b-11e7-ac34-8965f6420c51","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"1055ada0-3655-11e7-baa7-b7de4ee40605","name":"panel_2","type":"visualization"},{"id":"317f8410-3655-11e7-baa7-b7de4ee40605","name":"panel_3","type":"visualization"},{"id":"AWDG80RwxQT5EBNmq38x","name":"panel_4","type":"visualization"},{"id":"4e877100-4a48-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"58c84f60-0edb-11e9-9846-59f545e7293f","name":"panel_7","type":"visualization"},{"id":"a88e1020-0edb-11e9-9846-59f545e7293f","name":"panel_8","type":"visualization"},{"id":"ce859b40-0edb-11e9-9846-59f545e7293f","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auth.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Status\"}}],\"listeners\":{}}"},"id":"869e3030-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Exception","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Exception\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.exception.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"modbus.exception.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exception\"}}]}"},"id":"93cdb730-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:modbus\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\"},\"panelIndex\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\"},\"panelIndex\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\"},\"panelIndex\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"b15f438a-6f24-4099-90e6-d66f950029bc\"},\"panelIndex\":\"b15f438a-6f24-4099-90e6-d66f950029bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\"},\"panelIndex\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":14,\"h\":19,\"i\":\"4154e8b1-e314-4623-aaf4-0404a108551a\"},\"panelIndex\":\"4154e8b1-e314-4623-aaf4-0404a108551a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":19,\"i\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\"},\"panelIndex\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Modbus","version":1},"id":"886a7b90-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"62449800-75be-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"93cdb730-75be-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM0OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"PE - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCUeZxQT5EBNmq4Xy","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"fuid\",\"machine\",\"is_exe\",\"is_64bit\",\"subsystem\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Bro - PE","version":1},"id":"8a10e380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","name":"panel_5","type":"visualization"},{"id":"7de76e10-6e1f-11e7-b553-7f80727663c1","name":"panel_6","type":"visualization"},{"id":"AWDHCUeZxQT5EBNmq4Xy","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"8a60eb50-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - HASSH","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - HASSH\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.hassh.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Notice Generated (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Weird - Notice Generated (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Client Build","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Client Build\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"client_build.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client Build\"}}]}"},"id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Files - MIME Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files - MIME Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mimetype.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"file.mimetype.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"id":"8fb3c480-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"All Sensors - Log Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"All Sensors - Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}"},"id":"901bda80-a83f-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RADIUS - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM1OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"b0456970-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RADIUS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCgWzxQT5EBNmq4Y5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"9\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - RADIUS","version":1},"id":"90b246c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_5","type":"visualization"},{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"b0456970-6e1f-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCgWzxQT5EBNmq4Y5","name":"panel_8","type":"visualization"},{"id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Destination Country (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Destination Country (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - ID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.id.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ID\"}}]}"},"id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Host Data","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Host Data\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Osquery](/kibana/app/kibana#/dashboard/bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05) \\n[Wazuh](/kibana/app/kibana#/dashboard/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n\"},\"aggs\":[]}"},"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Agent Name\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM2OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.category:host\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"c743998d-d4c5-429f-87ce-67bac2649e72\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"c743998d-d4c5-429f-87ce-67bac2649e72\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\",\"w\":15,\"x\":8,\"y\":0},\"panelIndex\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8485e0bf-8342-42ff-82b4-eb2611191060\",\"w\":25,\"x\":23,\"y\":0},\"panelIndex\":\"8485e0bf-8342-42ff-82b4-eb2611191060\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"ba08df96-10b9-4b30-803f-f40387867ccc\",\"w\":7,\"x\":0,\"y\":8},\"panelIndex\":\"ba08df96-10b9-4b30-803f-f40387867ccc\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\",\"w\":7,\"x\":7,\"y\":8},\"panelIndex\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\",\"w\":8,\"x\":14,\"y\":8},\"panelIndex\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"6220624b-e5d5-4fa2-82e1-85287afb280a\",\"w\":9,\"x\":22,\"y\":8},\"panelIndex\":\"6220624b-e5d5-4fa2-82e1-85287afb280a\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\",\"w\":17,\"x\":31,\"y\":8},\"panelIndex\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Host","version":1},"id":"92e63cc0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"4fe16b60-72bd-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"content_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Content Type\"}}],\"listeners\":{}}"},"id":"930b1600-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:ossec AND event.dataset:alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":12,\"h\":19,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":8,\"w\":11,\"h\":19,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":8,\"w\":7,\"h\":19,\"i\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\"},\"panelIndex\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":8,\"h\":19,\"i\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\"},\"panelIndex\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\"},\"panelIndex\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":21,\"i\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\"},\"panelIndex\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Wazuh","version":1},"id":"9480f190-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total Number of Logs","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}"},"id":"AWDGyaGxxQT5EBNmq3K9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sensors - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"sensor_name.keyword\"}}],\"listeners\":{}}"},"id":"AWDGzmzcxQT5EBNmq3Sj","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Devices - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"syslog-host_from.keyword\"}}],\"listeners\":{}}"},"id":"AWDG0UDvxQT5EBNmq3WD","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":132,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":16,\"x\":0,\"y\":56,\"i\":\"19\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"21\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"21\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":16,\"h\":32,\"x\":32,\"y\":24,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"32\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"32\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"33\",\"gridData\":{\"w\":8,\"h\":16,\"x\":32,\"y\":8,\"i\":\"33\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"34\",\"gridData\":{\"w\":8,\"h\":16,\"x\":40,\"y\":8,\"i\":\"34\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"35\",\"gridData\":{\"w\":16,\"h\":8,\"x\":0,\"y\":72,\"i\":\"35\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"36\",\"gridData\":{\"w\":16,\"h\":8,\"x\":16,\"y\":72,\"i\":\"36\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"37\",\"gridData\":{\"w\":16,\"h\":8,\"x\":32,\"y\":72,\"i\":\"37\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"38\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"38\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"39\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":108,\"i\":\"39\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}},{\"panelIndex\":\"40\",\"gridData\":{\"w\":24,\"h\":28,\"x\":24,\"y\":80,\"i\":\"40\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}},{\"panelIndex\":\"41\",\"gridData\":{\"w\":24,\"h\":28,\"x\":0,\"y\":80,\"i\":\"41\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\"}]","timeRestore":false,"title":"Overview","version":1},"id":"94b52620-342a-11e7-9d52-4f090484f59e","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_1","type":"search"},{"id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","name":"panel_2","type":"visualization"},{"id":"277f3250-4161-11e7-8493-51634b0a4565","name":"panel_3","type":"visualization"},{"id":"901bda80-a83f-11e7-893a-1b88920b2837","name":"panel_4","type":"visualization"},{"id":"5b3988c0-a840-11e7-893a-1b88920b2837","name":"panel_5","type":"visualization"},{"id":"AWDGyaGxxQT5EBNmq3K9","name":"panel_6","type":"visualization"},{"id":"AWDGzmzcxQT5EBNmq3Sj","name":"panel_7","type":"visualization"},{"id":"AWDG0UDvxQT5EBNmq3WD","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_10","type":"visualization"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_11","type":"visualization"},{"id":"733ce440-494d-11e8-9576-313be7c6b44b","name":"panel_12","type":"visualization"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_13","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4MywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:snmp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"w\":17,\"x\":13,\"y\":0},\"panelIndex\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"w\":9,\"x\":0,\"y\":8},\"panelIndex\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"w\":10,\"x\":9,\"y\":8},\"panelIndex\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"w\":11,\"x\":19,\"y\":8},\"panelIndex\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - SNMP","version":1},"id":"96522610-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"424ace90-75e9-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"690ef880-75e9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"To\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"recipient_to.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}"},"id":"96767400-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM4OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Keyboard Layout (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Keyboard Layout (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"keyboard_layout.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Keyboard Layout\"}}]}"},"id":"be7637c0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Result (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Result (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Result\"}}]}"},"id":"c4f37d70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Encryption Level (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"RDP - Encryption Level (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Encryption Level\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"encryption_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Encryption Level\"}}]}"},"id":"ef307a70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RDP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCvBexQT5EBNmq4aK","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":12,\"h\":12,\"x\":36,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":12,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":16,\"h\":12,\"x\":20,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - RDP","version":1},"id":"97f8c3a0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"19dfd180-371c-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"524e13b0-371c-11e7-90f8-87842d5eedc9","name":"panel_6","type":"visualization"},{"id":"75597b60-371c-11e7-90f8-87842d5eedc9","name":"panel_7","type":"visualization"},{"id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","name":"panel_8","type":"visualization"},{"id":"be7637c0-371c-11e7-90f8-87842d5eedc9","name":"panel_9","type":"visualization"},{"id":"c4f37d70-6e20-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"ef307a70-6e20-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"AWDHCvBexQT5EBNmq4aK","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzM5OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"9a54f150-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxNywxXQ=="} -{"attributes":{"columns":["source_ip","name","software_type"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_software\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Software - Logs","version":1},"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Software - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Software - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_major.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_minor.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"software_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}]}"},"id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.note.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice\"}}]}"},"id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"meta\":{\"negate\":true,\"disabled\":true,\"alias\":\"Initial Systems/Queries\",\"type\":\"phrase\",\"key\":\"osquery.counter\",\"value\":\"0\",\"params\":{\"query\":0,\"type\":\"phrase\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"type\":\"phrases\",\"key\":\"osquery.codename\",\"value\":\"server\",\"params\":[\"server\"],\"negate\":false,\"disabled\":true,\"alias\":\"Servers Only\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"osquery.codename\":\"server\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"columns\":[\"osquery.hostname\",\"osquery.name\",\"osquery.LiveQuery\",\"osquery.EndpointIP1\",\"osquery.EndpointIP2\"]},\"gridData\":{\"x\":8,\"y\":27,\"w\":40,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":13,\"i\":\"12\"},\"panelIndex\":\"12\",\"title\":\"\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"x\":8,\"y\":13,\"w\":40,\"h\":14,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelIndex\":\"13\",\"embeddableConfig\":{},\"title\":\"Changes by Type\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":13,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelIndex\":\"14\",\"embeddableConfig\":{},\"title\":\"Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"osquery - Overview","version":1},"id":"9d0e2da0-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"panel_1","type":"search"},{"id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","name":"panel_2","type":"visualization"},{"id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","name":"panel_3","type":"visualization"},{"id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}"},"id":"9d3413c0-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ssh\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\"},\"panelIndex\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\"},\"panelIndex\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\"},\"panelIndex\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\"},\"panelIndex\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\"},\"panelIndex\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":13,\"h\":19,\"i\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\"},\"panelIndex\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":8,\"w\":15,\"h\":19,\"i\":\"ff324073-699d-4b26-b4fd-28190fa3803b\"},\"panelIndex\":\"ff324073-699d-4b26-b4fd-28190fa3803b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":17,\"h\":18,\"i\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\"},\"panelIndex\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":27,\"w\":16,\"h\":18,\"i\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\"},\"panelIndex\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"6711f807-284e-4025-99bb-cee25c0e970d\"},\"panelIndex\":\"6711f807-284e-4025-99bb-cee25c0e970d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SSH","version":1},"id":"9dfd77e0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.endpoint.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}}]}"},"id":"a427d6e0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.named_pipe.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Named Pipe\"}}]}"},"id":"c2f21270-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.operation.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}"},"id":"df7989f0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dce_rpc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\"},\"panelIndex\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\"},\"panelIndex\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\"},\"panelIndex\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":21,\"i\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\"},\"panelIndex\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":21,\"i\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\"},\"panelIndex\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":21,\"i\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\"},\"panelIndex\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":8,\"h\":21,\"i\":\"ee61c32f-e801-494f-a819-b5788bed856f\"},\"panelIndex\":\"ee61c32f-e801-494f-a819-b5788bed856f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":21,\"i\":\"f7c23591-431c-4a4c-a69b-a349c37697da\"},\"panelIndex\":\"f7c23591-431c-4a4c-a69b-a349c37697da\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - DCE/RPC","version":1},"id":"9e882df0-72c5-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"a427d6e0-96db-11ea-814e-bb515e873c2c","name":"panel_5","type":"visualization"},{"id":"c2f21270-96db-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"df7989f0-96db-11ea-814e-bb515e873c2c","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxNCwxXQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Osquery","version":1},"id":"9eed5fc0-afcb-11ea-b262-353d451b125b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-16T12:19:26.779Z","version":"WzcyMywyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Method\"}}],\"listeners\":{}}"},"id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQxOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d6ec3570-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"e8982270-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"id":"c24191f0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RFB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHC8iGxQT5EBNmq4bs","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyNywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":80,\"i\":\"14\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":80,\"i\":\"15\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":20,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - RFB","version":1},"id":"9ef20ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"869e3030-371e-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"14274040-371f-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"63c072c0-371f-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"d6ec3570-6e21-11e7-b553-7f80727663c1","name":"panel_8","type":"visualization"},{"id":"e8982270-6e21-11e7-b553-7f80727663c1","name":"panel_9","type":"visualization"},{"id":"4fade7b0-6e22-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"c24191f0-6e22-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDHC8iGxQT5EBNmq4bs","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.content_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.content_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Help","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"## Introduction\\nWelcome to the Security Onion Elastic Stack! This is our implementation of the Elastic Stack on Security Onion. The Elastic Stack consists of three primary components:\\n- `Elasticsearch` - stores logs\\n- `Logstash` - collects and enriches logs before storing them in Elasticsearch\\n- `Kibana` - web interface for visualizing logs\\n\\n## Sidebar\\nStarting on the far left side of the page, you see the Sidebar. This contains links such as:\\n- `Discover` - search data\\n- `Visualize` - create visualizations based on searches\\n- `Dashboard` - view or create dashboards based on visualizations\\n- `Timelion` - timeline analysis\\n- `Dev Tools` - query Elasticsearch directly\\n- `Management` - view or modify Kibana settings\\n- `Squert` - separate web interface for viewing NIDS and HIDS alerts\\n- `Logout` - log out of your session\\n\\nThe first six of those links are within Kibana itself. If you click one of those and then want to get back to the Dashboards area where you started, simply click the `Dashboard` link.\\n\\nClicking the `Squert` link will take you out of Kibana and into Squert. You will not be required to authenticate to Squert since you already have an active Single Sign On (SSO) session.\\n\\nClicking the `Logout` link in either Squert or Kibana will log you out of your SSO session and take you back to the logon screen.\\n\\n## Navigation Panel\\nWhen you are in the Kibana Dashboard area, the panel to the immediate right of the sidebar is the Navigation Panel and it includes links to our dashboards such as Home, Help (this page), Bro Notices, ElastAlert, HIDS, NIDS, etc. Clicking one of the links in the Navigation Panel will take you to a dashboard dedicated to that particular log type. \\n\\n## Dashboards\\nAll dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\n### Dashboard Hyperlinks\\n\\nThe `source_ip` and `destination_ip` fields are hyperlinked. These hyperlinks will take you to the Indicator dashboard which will help you analyze the traffic relating to that particular IP address.\\n\\n`UID` fields are also hyperlinked. This hyperlink will start a new Kibana search for that particular UID. In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an `_id` field that is hyperlinked. This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type. This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log. \\n\\n### Overview Dashboard\\nWhen you first go to the Kibana Dashboard area, you are automatically placed into the Overview dashboard, where you will see overview information, such as total number of logs and sensors. Use the information on the Overview dashboard to determine which of the other dashboards on the Navigation Panel you might want to visit next.\\n\\n### Dashboard Categories\\nOur remaining dashboards are grouped into a few categories:\\n- `Alert Data` - dashboards that display alerts created by rules or signatures\\n- `Bro Hunting` - dashboards that allow you to slice and dice network metadata for hunting\\n- `Host Hunting` - dashboards that allow you to hunt via host telemetry\\n- `Other` - dashboards that don't fit into the categories above\\n\\n### Bro Notices\\nBro sniffs network traffic and generates notices such as `SSL::Invalid Server Cert` and `TeamCymruMalwareHashRegistry::Match`.\\n\\n### ElastAlert\\nElastAlert queries Elasticsearch on a regular basis and then generates alerts based on your desired criteria. Security Onion includes two example rules that alert on new IDS events and new connection logs. You can add your own ElastAlert rules in `/etc/elastalert/rules/`.\\n\\n### HIDS\\nOSSEC analyzes log files and generates Host Intrusion Detection System alerts based on its ruleset at `/var/ossec/rules/`. You can add your own rules in `/var/ossec/rules/local_rules.xml`.\\n\\n### NIDS\\nSecurity Onion can use either Snort or Suricata to sniff network traffic and generate Network Intrusion Detection System alerts. \\n\\n### Connections\\nBro sniffs network traffic and logs connection metadata including source IP/port, destination IP/port, protocol, and number of bytes.\\n\\n### DCE/RPC\\nBro sniffs network traffic and logs DCE/RPC metadata including source IP/port, destination IP/port, operation, endpoint, and named pipe.\\n\\n### DHCP\\nBro sniffs network traffic and logs DHCP requests and responses including source IP/port, destination IP/port, and MAC addresses.\\n\\n### DNP3\\nBro sniffs network traffic and logs DNP3 metadata including source IP/port, destination IP/port, function request, function reply.\\n\\n### DNS\\nBro sniffs network traffic and logs DNS queries and answers. Bro also includes other name lookups such as Windows NetBIOS name service requests and Bonjour.\\n\\n### Files\\nBro sniffs network traffic and logs metadata related to files being transferred over the network including IP addresses, MIME type, source, and checksums.\\n\\n### FTP\\nBro sniffs network traffic and logs FTP metadata including source IP/port, destination IP/port, command, reply code, argument, and username.\\n\\n### HTTP\\nBro sniffs network traffic and logs HTTP metadata including source IP/port, destination IP/port, method, status message, MIME type, site name, referer, and user agent.\\n\\n### Intel\\nBro sniffs network traffic and watches for indicators using the Intel framework. You can add your own indicators to `/opt/bro/share/bro/intel/intel.dat`.\\n\\n### IRC\\nBro sniffs network traffic and logs IRC metadata including source IP/port, destination IP/port, command, and username.\\n\\n### Kerberos\\nBro sniffs network traffic and logs Kerberos metadata including source IP/port, destination IP/port, cipher, client, server, service, request type, and success status.\\n\\n### Modbus\\nBro sniffs network traffic and logs Modbus metadata including source IP/port, destination IP/port, and function.\\n\\n### MySQL\\nBro sniffs network traffic and logs MySQL metadata including source IP/port, destination IP/port, command/argument, status, and response.\\n\\n### NTLM\\nBro sniffs network traffic and logs NTLM metadata including source IP/port, destination IP/port, hostname, username, and status.\\n\\n### PE\\nBro sniffs network traffic and logs PE metadata including OS, subsystem, machine, and section name.\\n\\n### RADIUS\\nBro sniffs network traffic and logs RADIUS metadata including source IP/port, destination IP/port, username, and result.\\n\\n### RDP\\nBro sniffs network traffic and logs RDP metadata including source IP/port, destination IP/port, client build, keyboard layout, encryption level, and result.\\n\\n### RFB\\nBro sniffs network traffic and logs RFB metadata including source IP/port, destination IP/port, authentication method, authentication status, client version, server version, and desktop name.\\n\\n### SIP\\nBro sniffs network traffic and logs SIP metadata including source IP/port, destination IP/port, method, content type, status, uri, and user agent.\\n\\n### SMB\\nBro sniffs network traffic and logs SMB metadata including source IP/port, destination IP/port, file name, and action.\\n\\n### SMTP\\nBro sniffs network traffic and logs SMTP metadata including source IP/port, destination IP/port, from, to, subject, and user agent.\\n\\n### SNMP\\nBro sniffs network traffic and logs SNMP metadata including source IP/port, destination IP/port, version, community, and duration.\\n\\n### Software\\nBro sniffs network traffic and logs metadata relating to the kinds of software that generated that traffic including name, type, and version.\\n\\n### SSH\\nBro sniffs network traffic and logs SSH metadata including source IP/port, destination IP/port, client version, server version, and success.\\n\\n### SSL\\nBro sniffs network traffic and logs SSL metadata including source IP/port, destination IP/port, server name, certificate subject, cipher, and validation status.\\n\\n### Syslog\\nBro sniffs network traffic and logs Syslog metadata including source IP/port, destination IP/port, severity, and protocol.\\n\\n### Tunnels\\nBro sniffs network traffic and detects IP, GRE, SOCKS, TEREDO, and AVAYA tunnels. It logs metadata including source IP/port, destination IP/port, type, and action.\\n\\n### Weird\\nBro sniffs network traffic and logs protocol anomalies metadata including source IP/port, destination IP/port, and the type of anomaly.\\n\\n### X.509\\nBro sniffs network traffic and logs X.509 metadata including certificate subject, issuer, key algorithm, key length, and signing algorithm.\\n\\n### Autoruns\\nSysinternals Autoruns can identify the processes which Windows is configured to automatically run. Autoruns data can then be ingested via [Autoruns To WinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog).\\n\\n### Beats\\nElastic Beats can be deployed on endpoints to collect host telemetry and send to Logstash for storage in Elasticsearch.\\n\\n### OSSEC\\nOSSEC agents can be deployed on endpoints to collect host telemetry and send to the OSSEC Server included in Security Onion. OSSEC Alerts can be found in the Alert Data category at the top of the Navigation Panel. This OSSEC hunting dashboard will allow you to hunt through all OSSEC logs, not just alerts.\\n\\n### Sysmon\\nSysinternal Sysmon provides comprehensive telemetry for Windows hosts. Its logs can be consumed using Beats, OSSEC, or other transport mechanism.\\n\\n### Domain Stats\\nSecurity Onion includes a tool called domain_stats which will do a whois lookup on a domain name to determine the age of the domain. If enabled, this dashboard looks for baby domains that have been recently registered. Please note that domain_stats is only enabled when running in Evaluation Mode.\\n\\n### Firewall\\nFirewall logs can be consumed via syslog or other transport mechanism. Once consumed, this dashboard allows you to slice and dice those firewall logs based on source IP/port, destination IP/port, protocol, and action.\\n\\n### Frequency\\nSecurity Onion includes a tool called freq_server which can perform frequency analysis of hostnames. If enabled, this dashboard will show hostnames with a frequency analysis score that indicates that they could have been randomly generated. Please note that freq_server is only enabled when running in Evaluation Mode.\\n\\n### Stats\\nThis dashboard shows statistics for Logstash including processing times for different log types and any errors that may have occurred.\\n\\n## More Information\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/docs/Elastic\",\"type\":\"markdown\"},\"aggs\":[]}"},"id":"AV6-PHKnDwoBUzALqJ_c","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQyOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":204,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Help","version":1},"id":"AV6-POJSDwoBUzALqKAg","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"AV6-PHKnDwoBUzALqJ_c","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Issuer Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Issuer Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Common Name\"}}],\"listeners\":{}}"},"id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:server_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Server Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Server Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"server_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}}],\"listeners\":{}}"},"id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_organization_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Organization Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Organization Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_organization_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_organization.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Organization\"}}],\"listeners\":{}}"},"id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:parent_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Parent Domain Frequency Analysis","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"DNS - Parent Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"parent_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQzOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":52,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":76,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":76,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":100,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":100,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":124,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":124,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":52,\"x\":0,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":80,\"x\":0,\"y\":148,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":40,\"h\":28,\"x\":8,\"y\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}]","timeRestore":false,"title":"Frequency Analysis","version":1},"id":"AWAi5k4jAvKNGEbUWFis","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","name":"panel_0","type":"visualization"},{"id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","name":"panel_1","type":"visualization"},{"id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","name":"panel_2","type":"visualization"},{"id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","name":"panel_3","type":"visualization"},{"id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","name":"panel_4","type":"visualization"},{"id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_5","type":"visualization"},{"id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","name":"panel_6","type":"visualization"},{"id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_7","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_8","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_9","type":"search"},{"id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0MCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":48,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":48,\"h\":36,\"x\":0,\"y\":48,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}}]","timeRestore":false,"title":"Baby Domains","version":1},"id":"AWAi6wvxAvKNGEbUWO_j","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"panel_2","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0MywxXQ=="} -{"attributes":{"fieldFormatMap":"{\"process_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"event_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.error.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.a0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.acct\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.item\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.items\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.record_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.res\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AlgorithmName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AuthenticationPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Configuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ConfigurationFileHash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CurrentDirectory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DirtyPages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ElevatedToken\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EventType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoString\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FilterID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hashes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImagePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImpersonationLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IntegrityLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyFilePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeysUpdated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LmPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentCommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentImage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PrivilegeList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProviderName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.RestrictedAdminMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ReturnCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SchemaVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceHostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourcePort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.StartType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.State\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetFilename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLinkedLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetObject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TerminalSessionId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransmittedServices\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.UtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.VirtualAccount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Workstation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WorkstationName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.debug.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.main.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.startup.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.trace.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.pod.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.log.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.plugin_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.took_in_millis\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.took_in_nanos\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.machine_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.project_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.error.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.lock_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_examined\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_sent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.timestamp\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.connection_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.database\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"postgresql.log.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"read_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"redis.log.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.role\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.duration.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related_activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"stream\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.dropped_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.home\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.uid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.backend_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.frontend_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.request_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryData\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryDataSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.xml_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xml\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-beats-*"},"id":"AWBLHZaBRuBloj96jvrD","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0NCwxXQ=="} -{"attributes":{"columns":["computer_name","process_id","user.name","event_id","event_data.Image"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Beats Logs","version":1},"id":"AWBLMr9vRuBloj96jxp1","migrationVersion":{"search":"7.4.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Process IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Process IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLN7X2RuBloj96jxxY","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Computer Names","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Computer Names\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"computer_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLNriuRuBloj96jxv3","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Event IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Event IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLOT8MRuBloj96jx0N","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Usernames","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"Beats - Usernames\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLONJCRuBloj96jxzY","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ0OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Beats - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"AWBLQ2__RuBloj96jyDn","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Beats - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHHR8xQT5EBNmq4z7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":44,\"x\":0,\"y\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"computer_name\",\"process_id\",\"user.name\",\"event_id\",\"event_data.Image\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Beats","version":1},"id":"AWBLNS3CRuBloj96jxub","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"AWBLMr9vRuBloj96jxp1","name":"panel_0","type":"search"},{"id":"AWBLNriuRuBloj96jxv3","name":"panel_1","type":"visualization"},{"id":"AWBLN7X2RuBloj96jxxY","name":"panel_2","type":"visualization"},{"id":"AWBLOT8MRuBloj96jx0N","name":"panel_3","type":"visualization"},{"id":"AWBLONJCRuBloj96jxzY","name":"panel_4","type":"visualization"},{"id":"AWBLQ2__RuBloj96jyDn","name":"panel_5","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_6","type":"visualization"},{"id":"AWDHHHR8xQT5EBNmq4z7","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Connections - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG71xFxQT5EBNmq336","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9Qx0xQT5EBNmq3_2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHD-LfxQT5EBNmq4iB","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SIP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDNS4xQT5EBNmq4dF","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDfDkxQT5EBNmq4fQ","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDsr0xQT5EBNmq4gw","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHE-_wxQT5EBNmq4n3","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Software - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHEKJUxQT5EBNmq4jW","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSH - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHEYk4xQT5EBNmq4k5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHElRWxQT5EBNmq4lz","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Tunnels - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHFYrqxQT5EBNmq4qT","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Weird - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHGXk-xQT5EBNmq4uf","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxMywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"X.509 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHGklsxQT5EBNmq4wG","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Connection","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}}],\"listeners\":{}}"},"id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Destination Port\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Port\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Max total_bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination IP","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"title\":\"Connections - Top 10 - Total Bytes By Destination IP\",\"type\":\"histogram\"}"},"id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":71,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":20,\"h\":18,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":18,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":18,\"w\":20,\"h\":20,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":38,\"w\":40,\"h\":33,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"gridData\":{\"x\":28,\"y\":18,\"w\":20,\"h\":20,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Connections - Total Bytes","version":1},"id":"a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_1","type":"visualization"},{"id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_2","type":"visualization"},{"id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","name":"panel_3","type":"visualization"},{"id":"726cc040-48cf-11e8-9576-313be7c6b44b","name":"panel_4","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"a663e070-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUxOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - Request - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - Request - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"request.client.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Data Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Data Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":false,\"last_level\":false,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"url\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ1OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"observer.name:* OR agent.name:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count By Node ","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Log Count By Node \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"observer.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"observer.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Node\"}}]}"},"id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2MCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"w\":17,\"x\":9,\"y\":0},\"panelIndex\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"126f5365-8829-469d-8349-a08874975584\",\"w\":22,\"x\":26,\"y\":0},\"panelIndex\":\"126f5365-8829-469d-8349-a08874975584\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"w\":22,\"x\":0,\"y\":8},\"panelIndex\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"w\":9,\"x\":22,\"y\":8},\"panelIndex\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"w\":8,\"x\":31,\"y\":8},\"panelIndex\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"w\":9,\"x\":39,\"y\":8},\"panelIndex\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Home","version":1},"id":"a8411b30-6d03-11ea-b301-3d6c35840645","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Query Results Count","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Results\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.hostname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.live_query.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Live Query Pivot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.endpoint_ip1.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint Primary IP\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Osquery - Query Results Count\"}"},"id":"ab47a590-afcc-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9eed5fc0-afcb-11ea-b262-353d451b125b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-16T12:58:03.053Z","version":"Wzc1NCwyXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"}]","timeRestore":false,"title":"Security Onion - Users","version":1},"id":"abbe1140-72c7-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset By Node","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset By Node\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"id":"abffa080-6ec9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f5166880-374f-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Request Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request_path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}"},"id":"dddb4430-3752-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":72,\"w\":16,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":16,\"y\":72,\"w\":16,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":20,\"y\":8,\"w\":12,\"h\":16,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":96,\"w\":48,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":20,\"y\":48,\"w\":28,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":32,\"y\":24,\"w\":16,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":48,\"w\":20,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":16,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":120,\"w\":48,\"h\":30,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"18\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":16,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"x\":32,\"y\":72,\"w\":16,\"h\":24,\"i\":\"19\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"20\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":24,\"w\":24,\"h\":24,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SIP","version":1},"id":"ad3c0830-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5166880-374f-11e7-b74a-f5057991ccd2","name":"panel_2","type":"visualization"},{"id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","name":"panel_3","type":"visualization"},{"id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","name":"panel_4","type":"visualization"},{"id":"dddb4430-3752-11e7-b74a-f5057991ccd2","name":"panel_5","type":"visualization"},{"id":"5e36c370-3753-11e7-b74a-f5057991ccd2","name":"panel_6","type":"visualization"},{"id":"73f663f0-3753-11e7-b74a-f5057991ccd2","name":"panel_7","type":"visualization"},{"id":"930b1600-3753-11e7-b74a-f5057991ccd2","name":"panel_8","type":"visualization"},{"id":"2db47070-3754-11e7-b74a-f5057991ccd2","name":"panel_9","type":"visualization"},{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"1ef5c230-6e24-11e7-a261-55504638cf3b","name":"panel_11","type":"visualization"},{"id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","name":"panel_12","type":"visualization"},{"id":"AWDHDNS4xQT5EBNmq4dF","name":"panel_13","type":"visualization"},{"id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ3NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:files\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"257c130f-3673-410c-9f60-d67deb13b580\"},\"panelIndex\":\"257c130f-3673-410c-9f60-d67deb13b580\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":7,\"i\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\"},\"panelIndex\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":7,\"i\":\"93532ba0-f446-4a97-8783-a04dd4347485\"},\"panelIndex\":\"93532ba0-f446-4a97-8783-a04dd4347485\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":19,\"i\":\"a2af856c-7069-46b2-974c-e8b9054af929\"},\"panelIndex\":\"a2af856c-7069-46b2-974c-e8b9054af929\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":7,\"w\":9,\"h\":19,\"i\":\"4a3de026-5001-46a6-af20-78db885bd4bb\"},\"panelIndex\":\"4a3de026-5001-46a6-af20-78db885bd4bb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":7,\"w\":17,\"h\":19,\"i\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\"},\"panelIndex\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":34,\"y\":7,\"w\":14,\"h\":19,\"i\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\"},\"panelIndex\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":21,\"h\":19,\"i\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\"},\"panelIndex\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":26,\"w\":8,\"h\":19,\"i\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\"},\"panelIndex\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":26,\"w\":10,\"h\":19,\"i\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\"},\"panelIndex\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":39,\"y\":26,\"w\":9,\"h\":19,\"i\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\"},\"panelIndex\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":24,\"i\":\"226350dd-3afe-4135-a8da-71db63287a95\"},\"panelIndex\":\"226350dd-3afe-4135-a8da-71db63287a95\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Security Onion - Zeek Files","version":1},"id":"ad4d5d60-75f4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_11","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Destination Country (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Destination Country (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination_geo.country_name.keyword: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - TLS - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"TLS\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS\"}}],\"listeners\":{}}"},"id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Initial Systems/Queries\",\"disabled\":true,\"key\":\"osquery.counter\",\"negate\":true,\"params\":{\"query\":0,\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Servers Only\",\"disabled\":true,\"key\":\"osquery.codename\",\"negate\":false,\"params\":{\"query\":\"server\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"server\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match\":{\"osquery.codename\":{\"query\":\"server\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":11,\"i\":\"16\"},\"panelIndex\":\"16\",\"title\":\"\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":29,\"w\":40,\"h\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"title\":\"Chrome Extensions - Logs\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":11,\"w\":40,\"h\":18,\"i\":\"19\"},\"panelIndex\":\"19\",\"title\":\"Chrome Extensions - Sensitive Permissions\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":11,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelIndex\":\"20\",\"embeddableConfig\":{},\"title\":\"Chrome Extensions - Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"osquery - Chrome Extensions","version":1},"id":"af0ea750-18d3-11e9-932c-d12d2cf4ee95","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"71538370-18d5-11e9-932c-d12d2cf4ee95","name":"panel_1","type":"visualization"},{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"panel_2","type":"search"},{"id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_3","type":"visualization"},{"id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ4NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Osquery - Name\"}"},"id":"af139720-afcb-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-16T12:19:53.873Z","version":"WzcyNywyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}"},"id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Country (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Destination Country (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"id":"dfe23030-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - TLS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"d776e510-6e28-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzQ5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwMCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":56,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"panelIndex\":\"20\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"}]","timeRestore":false,"title":"Bro - SMTP","version":1},"id":"b10a9c60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"dfe23030-39a1-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"73b1b240-39a2-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"96767400-39a2-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","name":"panel_7","type":"visualization"},{"id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","name":"panel_8","type":"visualization"},{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"d776e510-6e28-11e7-8b76-75eee0095daa","name":"panel_10","type":"visualization"},{"id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","name":"panel_11","type":"visualization"},{"id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","name":"panel_12","type":"visualization"},{"id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","name":"panel_13","type":"visualization"},{"id":"AWDHDsr0xQT5EBNmq4gw","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - IIN","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - IIN\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.iin: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.iin\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IIN\"}}]}"},"id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dnp3\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":12,\"h\":19,\"i\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\"},\"panelIndex\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\"},\"panelIndex\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - DNP3","version":1},"id":"b1f52180-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"214793c0-75b9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.authentication.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.authentication.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"b2053990-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:kerberos\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\"},\"panelIndex\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":15,\"h\":9,\"i\":\"e0e4a50d-887b-472b-a790-302966fb6f49\"},\"panelIndex\":\"e0e4a50d-887b-472b-a790-302966fb6f49\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\"},\"panelIndex\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":19,\"i\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\"},\"panelIndex\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":9,\"w\":10,\"h\":19,\"i\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\"},\"panelIndex\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":9,\"w\":11,\"h\":19,\"i\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\"},\"panelIndex\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":9,\"w\":7,\"h\":19,\"i\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\"},\"panelIndex\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":9,\"w\":10,\"h\":19,\"i\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\"},\"panelIndex\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Kerberos","version":1},"id":"b207ab90-75bc-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"48331f00-75bd-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUwOSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SMB","version":1},"id":"b3a53710-3aaa-11e7-8b17-0d8709b02c80","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","name":"panel_2","type":"visualization"},{"id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","name":"panel_3","type":"visualization"},{"id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","name":"panel_4","type":"visualization"},{"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","name":"panel_5","type":"visualization"},{"id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"306c4330-4175-11e7-a0f7-47f4c03e3306","name":"panel_8","type":"visualization"},{"id":"AWDHDfDkxQT5EBNmq4fQ","name":"panel_9","type":"visualization"},{"id":"a663e070-4c78-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"respond_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Responder Bytes\"}}],\"listeners\":{}}"},"id":"b50912f0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxOSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"b6120810-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Responder Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Responder Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"respond_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Responder Bytes","version":1},"id":"b65775e0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"e8511600-36b8-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Session Duration","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"duration\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}"},"id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUyNywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SNMP","version":1},"id":"b65c2710-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"e8511600-36b8-11e7-9786-41a1d72e15ad","name":"panel_2","type":"visualization"},{"id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","name":"panel_3","type":"visualization"},{"id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","name":"panel_4","type":"visualization"},{"id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","name":"panel_5","type":"visualization"},{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","name":"panel_7","type":"visualization"},{"id":"AWDHD-LfxQT5EBNmq4iB","name":"panel_8","type":"visualization"},{"id":"83a91450-4c79-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Validation Status","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Validation Status\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.validation_status.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssl.validation_status.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}"},"id":"b8371250-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:radius\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\"},\"panelIndex\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":9,\"i\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\"},\"panelIndex\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\"},\"panelIndex\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":19,\"i\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\"},\"panelIndex\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":19,\"i\":\"7075ea4f-e935-470c-9329-9a0b15202385\"},\"panelIndex\":\"7075ea4f-e935-470c-9329-9a0b15202385\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":19,\"i\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\"},\"panelIndex\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":9,\"h\":19,\"i\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\"},\"panelIndex\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":19,\"i\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\"},\"panelIndex\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - RADIUS","version":1},"id":"b9769e60-75c4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"767c89f0-af4c-11ea-b262-353d451b125b","name":"panel_5","type":"visualization"},{"id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T21:09:44.413Z","version":"WzcwNywyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":48,\"h\":16,\"i\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\"},\"panelIndex\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"db4fa812-32fb-43c8-baa8-e88206cae126\"},\"panelIndex\":\"db4fa812-32fb-43c8-baa8-e88206cae126\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"Security Onion - Osquery","version":1},"id":"bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ab47a590-afcc-11ea-b262-353d451b125b","name":"panel_3","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"search"}],"type":"dashboard","updated_at":"2020-06-16T12:33:26.077Z","version":"Wzc0MiwyXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Software - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzUzOCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":44,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"name\",\"software_type\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":36,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Software","version":1},"id":"c2c99c30-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"AWDHEKJUxQT5EBNmq4jW","name":"panel_3","type":"visualization"},{"id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Protocol (Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Connections - Protocol (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocol\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"id":"c3152010-3673-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0MiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:mysql\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\"},\"panelIndex\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":9,\"i\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\"},\"panelIndex\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\"},\"panelIndex\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\"},\"panelIndex\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\"},\"panelIndex\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\"},\"panelIndex\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\"},\"panelIndex\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":16,\"i\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\"},\"panelIndex\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - MySQL","version":1},"id":"c3ced6d0-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"protocol.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}],\"listeners\":{}}"},"id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":28,\"h\":24,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Bro - Syslog","version":1},"id":"c4bbe040-76b3-11e7-ba96-cba76a1e264d","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","name":"panel_1","type":"visualization"},{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"panel_2","type":"search"},{"id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_3","type":"visualization"},{"id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_4","type":"visualization"},{"id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_5","type":"visualization"},{"id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","name":"panel_6","type":"visualization"},{"id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","name":"panel_7","type":"visualization"},{"id":"AWDHE-_wxQT5EBNmq4n3","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Authentication Success","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SSH - Authentication Success\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Authentication Success\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"authentication_success.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Success\"}}],\"listeners\":{}}"},"id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSH -Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}"},"id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2MywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"13\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":8,\"y\":8,\"w\":28,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SSH","version":1},"id":"c6ccfc00-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"8a60eb50-365f-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","name":"panel_5","type":"visualization"},{"id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHEYk4xQT5EBNmq4k5","name":"panel_8","type":"visualization"},{"id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"c7484350-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5NywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.message.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}}]}"},"id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Share Flag","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Share Flag\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.desktop.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.desktop.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Desktop Name\"}}]}"},"id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU2NywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rfb\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\"},\"panelIndex\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"0e12fa96-b29d-4815-ae19-b6e894948597\"},\"panelIndex\":\"0e12fa96-b29d-4815-ae19-b6e894948597\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\"},\"panelIndex\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\"},\"panelIndex\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\"},\"panelIndex\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":14,\"h\":19,\"i\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\"},\"panelIndex\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":19,\"i\":\"edfbec77-b174-40ac-9f11-776da22fe82d\"},\"panelIndex\":\"edfbec77-b174-40ac-9f11-776da22fe82d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":24,\"h\":15,\"i\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\"},\"panelIndex\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":27,\"w\":12,\"h\":15,\"i\":\"aedad86f-ec5e-4330-bab0-468351eb8355\"},\"panelIndex\":\"aedad86f-ec5e-4330-bab0-468351eb8355\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":15,\"i\":\"8092b313-2e40-47e4-96a2-51086f98e53f\"},\"panelIndex\":\"8092b313-2e40-47e4-96a2-51086f98e53f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - RFB","version":1},"id":"c8b3c360-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b2053990-75c7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connection Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connection Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"c94e2aa0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5OCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:tunnel\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"19aef080-5875-4182-81a8-2a6639c75489\"},\"panelIndex\":\"19aef080-5875-4182-81a8-2a6639c75489\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\"},\"panelIndex\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"21848a06-ca96-4869-b069-7524caf3ae06\"},\"panelIndex\":\"21848a06-ca96-4869-b069-7524caf3ae06\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\"},\"panelIndex\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"9f72f316-c3a2-4658-8d03-932fa590e216\"},\"panelIndex\":\"9f72f316-c3a2-4658-8d03-932fa590e216\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":9,\"h\":19,\"i\":\"fa1bc43a-2be3-4699-97af-677bded82273\"},\"panelIndex\":\"fa1bc43a-2be3-4699-97af-677bded82273\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":8,\"w\":19,\"h\":19,\"i\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\"},\"panelIndex\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Tunnels","version":1},"id":"c962dd60-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6120810-75ef-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxMSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.fc_reply.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"id":"cb29fbe0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY5OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":20,\"w\":24,\"h\":20,\"i\":\"1\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}},{\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":0,\"w\":24,\"h\":20,\"i\":\"2\"},\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":40,\"i\":\"3\"},\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":40,\"w\":48,\"h\":24,\"i\":\"4\"},\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}}]","timeRestore":false,"title":"Connections - Top Source IPs","version":1},"id":"cb367060-3b04-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_0","type":"visualization"},{"id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_2","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Version\"}}]}"},"id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4NSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":104,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":104,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":104,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":48,\"h\":72,\"x\":0,\"y\":128,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"19\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"20\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"21\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - SSL","version":1},"id":"cca67b60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"3753e110-365a-11e7-bf60-314364dd1cde","name":"panel_2","type":"visualization"},{"id":"02699580-365a-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_4","type":"visualization"},{"id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_5","type":"visualization"},{"id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_6","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_7","type":"visualization"},{"id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","name":"panel_8","type":"visualization"},{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","name":"panel_10","type":"visualization"},{"id":"AWDHElRWxQT5EBNmq4lz","name":"panel_11","type":"visualization"},{"id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[24.846565348219734,0.087890625],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Connections - Destination - Sum of Total Bytes","version":1},"id":"ccfcc540-4638-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"1342e630-4632-11e7-9903-85f789353078","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU4OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Entropy","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Entropy\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"scan.entropy.entropy\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Entropy\"}}]}"},"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Warning","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Warning\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.warning.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.warning.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Warning\"}}]}"},"id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwNCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Bro - Tunnels","version":1},"id":"d7b54ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"53824da0-6e35-11e7-9a19-a5996f8250c6","name":"panel_8","type":"visualization"},{"id":"AWDHFYrqxQT5EBNmq4qT","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzU5OCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event_type:bro_conn\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Connections - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Server Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Server Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.server_name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.server_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Name\"}}]}"},"id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Datasets","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network Datasets\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}]}"},"id":"dbe4cc20-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxMiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Queries","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}"},"id":"dcda5680-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:sip\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\"},\"panelIndex\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\"},\"panelIndex\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"e87052bf-935e-421b-8208-e798a37edf69\"},\"panelIndex\":\"e87052bf-935e-421b-8208-e798a37edf69\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\"},\"panelIndex\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"a303da32-bd43-45a5-acbf-093478d734f9\"},\"panelIndex\":\"a303da32-bd43-45a5-acbf-093478d734f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\"},\"panelIndex\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":8,\"w\":8,\"h\":19,\"i\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\"},\"panelIndex\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":34,\"y\":8,\"w\":14,\"h\":19,\"i\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\"},\"panelIndex\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":17,\"i\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\"},\"panelIndex\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":27,\"w\":12,\"h\":17,\"i\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\"},\"panelIndex\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":27,\"w\":24,\"h\":17,\"i\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\"},\"panelIndex\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - SIP","version":1},"id":"dd98e260-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"49384710-75ca-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"},{"id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYwNSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":80,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":56,\"w\":40,\"h\":24,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Weird","version":1},"id":"de2da250-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"1b837b00-364e-11e7-9dc3-d35061cb642d","name":"panel_2","type":"visualization"},{"id":"312cd460-364e-11e7-9dc3-d35061cb642d","name":"panel_3","type":"visualization"},{"id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","name":"panel_4","type":"visualization"},{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","name":"panel_6","type":"visualization"},{"id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHGXk-xQT5EBNmq4uf","name":"panel_8","type":"visualization"},{"id":"691ade50-4c85-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYxNSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SSDeep","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SSDeep\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.ssdeep.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SSDeep\"}}]}"},"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":63,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":63,\"w\":16,\"h\":28,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":63,\"w\":16,\"h\":28,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":91,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":91,\"w\":16,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":91,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":16,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":8,\"y\":32,\"w\":40,\"h\":31,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":115,\"w\":48,\"h\":24,\"i\":\"25\"},\"panelIndex\":\"25\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"gridData\":{\"x\":30,\"y\":24,\"w\":18,\"h\":8,\"i\":\"26\"},\"panelIndex\":\"26\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"29\"},\"panelIndex\":\"29\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"gridData\":{\"x\":32,\"y\":63,\"w\":16,\"h\":28,\"i\":\"31\"},\"panelIndex\":\"31\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":22,\"h\":24,\"i\":\"32\"},\"panelIndex\":\"32\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - Connections","version":1},"id":"e0a34b90-34e6-11e7-9118-45bd317f0ca4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","name":"panel_1","type":"visualization"},{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a54f150-366e-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"296823d0-366f-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"b50912f0-366f-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"05088150-3670-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"c3152010-3673-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"13fe29c0-3b17-11e7-b871-5f76306b9694","name":"panel_8","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"25ce6eb0-463b-11e7-a82e-d97152153689","name":"panel_10","type":"visualization"},{"id":"AWDG71xFxQT5EBNmq336","name":"panel_11","type":"visualization"},{"id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"},{"id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYyNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Destination Port (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Destination Port (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}],\"listeners\":{}}"},"id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"id":"fab4b560-37d8-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":96,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"certificate_subject\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Bro - X.509","version":1},"id":"e5aa7170-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"738127f0-37d7-11e7-9efb-91e89505091f","name":"panel_3","type":"visualization"},{"id":"fab4b560-37d8-11e7-9efb-91e89505091f","name":"panel_4","type":"visualization"},{"id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","name":"panel_5","type":"visualization"},{"id":"150f7280-6e37-11e7-a8d6-ed2e692de531","name":"panel_6","type":"visualization"},{"id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","name":"panel_7","type":"visualization"},{"id":"AWDHGklsxQT5EBNmq4wG","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzNiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Domain","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Host - Domain\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.domain.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain\"}}]}"},"id":"e80aa100-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwMSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[39.639537564366684,0.17578125],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Connections - Destination - Top Connection Duration","version":1},"id":"ea211360-46c4-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f7492d0-46c4-11e7-a82e-d97152153689","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzYzOCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}"},"id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY0NiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":68,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":44,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":44,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":92,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":116,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":44,\"i\":\"21\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"22\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":56,\"i\":\"22\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":68,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"25\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":68,\"i\":\"25\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"26\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":20,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":20,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":20,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DNS","version":1},"id":"ebf5ec90-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","name":"panel_2","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_3","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_4","type":"visualization"},{"id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","name":"panel_5","type":"visualization"},{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"4d89e140-6f09-11e7-9d31-23c0596994a7","name":"panel_8","type":"visualization"},{"id":"74861280-6f06-11e7-b253-211f64f37eda","name":"panel_9","type":"visualization"},{"id":"AWDG9Qx0xQT5EBNmq3_2","name":"panel_10","type":"visualization"},{"id":"dcda5680-2927-11e8-b2a2-09f3986ae284","name":"panel_11","type":"visualization"},{"id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","name":"panel_12","type":"visualization"},{"id":"22f7de30-4949-11e8-9576-313be7c6b44b","name":"panel_13","type":"visualization"},{"id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - File System","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - File System\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.file_system.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.file_system.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File System\"}}]}"},"id":"ed215680-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2NCwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"h\":51,\"i\":\"4\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":22,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":51},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":17,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":34},\"panelIndex\":\"12\",\"title\":\"NIDS Alert - Source Port\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"h\":17,\"i\":\"18\",\"w\":20,\"x\":28,\"y\":34},\"panelIndex\":\"18\",\"title\":\"NIDS Alert - Destination Port\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":40,\"x\":8,\"y\":18},\"panelIndex\":\"19\",\"title\":\"NIDS - Alert Summary \",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"20\",\"w\":17,\"x\":8,\"y\":8},\"panelIndex\":\"20\",\"title\":\"NIDS - Alert Title\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"21\",\"title\":\"NIDS - Rule Signature\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"NIDS - SID Drilldown","version":1},"id":"ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_4","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","name":"panel_6","type":"visualization"},{"id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_7","type":"visualization"},{"id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1NCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ede56800-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwMiwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ssl\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"7ba54e84-e774-489e-b4e5-156bff163007\"},\"panelIndex\":\"7ba54e84-e774-489e-b4e5-156bff163007\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"83706228-debf-441c-ab7f-2e20c91ec132\"},\"panelIndex\":\"83706228-debf-441c-ab7f-2e20c91ec132\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e06b2a92-d78b-4d77-9948-40a96a630656\"},\"panelIndex\":\"e06b2a92-d78b-4d77-9948-40a96a630656\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":20,\"i\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\"},\"panelIndex\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":10,\"h\":20,\"i\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\"},\"panelIndex\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":11,\"h\":20,\"i\":\"19764782-13cb-4b14-b272-d30fbdead5a2\"},\"panelIndex\":\"19764782-13cb-4b14-b272-d30fbdead5a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":20,\"i\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\"},\"panelIndex\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":20,\"i\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\"},\"panelIndex\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":20,\"i\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\"},\"panelIndex\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - SSL","version":1},"id":"efae8de0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"b8371250-75ec-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY1OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Sum of Total Bytes","version":1},"id":"f042ad60-46c6-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2MSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smb*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\"},\"panelIndex\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\"},\"panelIndex\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\"},\"panelIndex\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\"},\"panelIndex\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\"},\"panelIndex\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":10,\"h\":19,\"i\":\"4f886675-43c8-46c9-a471-717010d40e67\"},\"panelIndex\":\"4f886675-43c8-46c9-a471-717010d40e67\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":19,\"i\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\"},\"panelIndex\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\"},\"panelIndex\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":20,\"i\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\"},\"panelIndex\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - SMB","version":1},"id":"f24d7b80-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"34762420-75f0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"ed215680-75ef-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"052df440-75f0-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2NiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Action","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Action\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.p: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.action.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY2OSwxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:notice AND event.module:zeek\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3c981b35-b930-4523-bef4-7f5193148816\"},\"panelIndex\":\"3c981b35-b930-4523-bef4-7f5193148816\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":16,\"h\":8,\"i\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\"},\"panelIndex\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"7d323b2f-3502-4397-93fd-b430d9011d92\"},\"panelIndex\":\"7d323b2f-3502-4397-93fd-b430d9011d92\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":18,\"i\":\"298b9cf4-5e54-45f5-805c-e04b31044401\"},\"panelIndex\":\"298b9cf4-5e54-45f5-805c-e04b31044401\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":29,\"h\":18,\"i\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\"},\"panelIndex\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":11,\"h\":23,\"i\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\"},\"panelIndex\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":26,\"w\":11,\"h\":23,\"i\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\"},\"panelIndex\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":26,\"w\":10,\"h\":23,\"i\":\"208bc4b2-013a-4aab-b72c-45a618077791\"},\"panelIndex\":\"208bc4b2-013a-4aab-b72c-45a618077791\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":32,\"y\":26,\"w\":16,\"h\":23,\"i\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\"},\"panelIndex\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Zeek - Notices","version":1},"id":"fa9ed760-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","name":"panel_3","type":"visualization"},{"id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","name":"panel_4","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3MCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"fd8b4640-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-06-15T18:49:59.193Z","version":"WzcwMywxXQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:strelka\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\"},\"panelIndex\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":21,\"h\":7,\"i\":\"566a9d04-f2dc-4868-9625-97a19d985703\"},\"panelIndex\":\"566a9d04-f2dc-4868-9625-97a19d985703\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":7,\"i\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\"},\"panelIndex\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":20,\"i\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\"},\"panelIndex\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":11,\"h\":20,\"i\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\"},\"panelIndex\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":7,\"w\":14,\"h\":20,\"i\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\"},\"panelIndex\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":20,\"i\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\"},\"panelIndex\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":8,\"h\":20,\"i\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\"},\"panelIndex\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":27,\"w\":15,\"h\":20,\"i\":\"0e8800a9-a6f5-4a79-8370-61713f584886\"},\"panelIndex\":\"0e8800a9-a6f5-4a79-8370-61713f584886\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":27,\"w\":25,\"h\":20,\"i\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\"},\"panelIndex\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":27,\"i\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\"},\"panelIndex\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Strelka","version":1},"id":"ff689c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_4","type":"visualization"},{"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"type":"dashboard","updated_at":"2020-06-15T18:49:59.193Z","version":"WzY3NywxXQ=="} -{"exportedCount":709,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file +{"attributes":{"fieldFormatMap":"{\"match_body.source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"match_body.destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.slack_webhook_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_webhook_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_sent\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.signature_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._index.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lat\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lon\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_matches\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ip.keyword\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-sourceip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-sourceip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matches\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"starttime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"time_taken\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traceback\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traceback.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"until\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:elastalert_status*"},"id":"*:elastalert_status*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-15T13:17:15.442Z","version":"WzAsMV0="} +{"attributes":{"fieldFormatMap":"{\"_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PCAPPLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{value}}\"}},\"uid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"fuid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"resp_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"orig_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"sid\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"port\":{\"id\":\"number\",\"params\":{\"pattern\":\"0.[000]\"}},\"query\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"query.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"signature_info\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{rawValue}}\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"duration\":{\"id\":\"duration\",\"params\":{\"outputFormat\":\"asSeconds\",\"outputPrecision\":6}},\"missed_bytes\":{\"id\":\"bytes\"},\"missing_bytes\":{\"id\":\"bytes\"},\"original_bytes\":{\"id\":\"bytes\"},\"original_ip_bytes\":{\"id\":\"bytes\"},\"overflow_bytes\":{\"id\":\"bytes\"},\"respond_bytes\":{\"id\":\"bytes\"},\"respond_ip_bytes\":{\"id\":\"bytes\"},\"seen_bytes\":{\"id\":\"bytes\"},\"total_bytes\":{\"id\":\"bytes\"},\"rtt\":{\"id\":\"number\",\"params\":{\"pattern\":\"0,0.[0000000]\"}},\"uids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"osquery.LiveQuery\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"LiveQuery\"}},\"TheHive\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"\",\"labelTemplate\":\"Add2Hive\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ack\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ack.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints.path_len\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_host.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_fqdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.arch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.arch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.dpkg_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.dpkg_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.package\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.package.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.args.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.cmd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.egroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.egroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.euser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.euser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.fgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.fgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nlwp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nlwp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pgrp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pgrp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.processor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.processor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.resident\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.resident.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.rgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.rgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.sgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.sgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.share\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.share.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.start_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.start_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.stime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.stime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.suser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.suser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tgid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tgid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.utime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.utime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.vm_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.vm_size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.format\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.format.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.multiarch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.multiarch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.section.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.vendor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.vendor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.ftscomment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.ftscomment.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.parent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.parent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted_cutoff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted_cutoff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"framed_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"framed_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"full_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"full_log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_responses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_responses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ecn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_ecn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3s\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3s.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"options.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.LiveQuery\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.LiveQuery.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.calendarTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.calendarTime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.shell.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.counter\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hardware_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hardware_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostIdentifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostIdentifier.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.unixTime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prospector.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_location.country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_dns_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_dns_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_nb_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_nb_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_tree_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_tree_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.event.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.perm_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tcp_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tcp_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"urg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"urg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.firedtimes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gdpr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gdpr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gpg13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gpg13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.mail\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.pci_dss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.pci_dss.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"window\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"window.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-*"},"id":"*:logstash-*","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Network Data","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Datasets** \\n[Connections](/kibana/app/kibana#/dashboard/0cc628b0-6e9f-11ea-9266-1fd14ca6af34) | [DCE/RPC](/kibana/app/kibana#/dashboard/9e882df0-72c5-11ea-8dd2-9d8795a1200b) |\\n[DHCP](/kibana/app/kibana#/dashboard/80625c10-96dd-11ea-814e-bb515e873c2c) \\n[DNP3](/kibana/app/kibana#/dashboard/b1f52180-755a-11ea-9565-7315f4ee5cac) | [DNS](/kibana/app/kibana#/dashboard/55ac6bf0-6ec4-11ea-9266-1fd14ca6af34) |\\n[FTP](/kibana/app/kibana#/dashboard/739bfad0-755a-11ea-9565-7315f4ee5cac) |\\n[HTTP](/kibana/app/kibana#/dashboard/44e9c820-6eb1-11ea-9266-1fd14ca6af34) | [IRC](/kibana/app/kibana#/dashboard/38523560-75ba-11ea-9565-7315f4ee5cac) |\\n[Kerberos](/kibana/app/kibana#/dashboard/b207ab90-75bc-11ea-9565-7315f4ee5cac) \\n[Modbus](/kibana/app/kibana#/dashboard/886a7b90-75bd-11ea-9565-7315f4ee5cac) | \\n[MySQL](/kibana/app/kibana#/dashboard/c3ced6d0-75be-11ea-9565-7315f4ee5cac) | \\n[NTLM](/kibana/app/kibana#/dashboard/558292e0-75c1-11ea-9565-7315f4ee5cac) | \\n[PE](kibana/app/kibana#/dashboard/94b55b90-c761-11ea-bebb-37c5ab5894ea) |\\n[RADIUS](/kibana/app/kibana#/dashboard/b9769e60-75c4-11ea-9565-7315f4ee5cac) | [RDP](/kibana/app/kibana#/dashboard/5b743150-75c5-11ea-9565-7315f4ee5cac) | \\n[RFB](/kibana/app/kibana#/dashboard/c8b3c360-75c6-11ea-9565-7315f4ee5cac) | [SIP](/kibana/app/kibana#/dashboard/dd98e260-75c6-11ea-9565-7315f4ee5cac) \\n[SMB](/kibana/app/kibana#/dashboard/f24d7b80-75c6-11ea-9565-7315f4ee5cac) | [SMTP](/kibana/app/kibana#/dashboard/00304500-75e7-11ea-9565-7315f4ee5cac) | [SNMP](/kibana/app/kibana#/dashboard/96522610-75e8-11ea-9565-7315f4ee5cac) | \\n[SSH](/kibana/app/kibana#/dashboard/9dfd77e0-75eb-11ea-9565-7315f4ee5cac) | [SSL](/kibana/app/kibana#/dashboard/efae8de0-75eb-11ea-9565-7315f4ee5cac) | [Syslog](/kibana/app/kibana#/dashboard/66499a20-75ed-11ea-9565-7315f4ee5cac) | [Tunnels](/kibana/app/kibana#/dashboard/c962dd60-75ed-11ea-9565-7315f4ee5cac) | [X.509](/kibana/app/kibana#/dashboard/2e0865f0-75ee-11ea-9565-7315f4ee5cac) \\n\"},\"title\":\"Security Onion - Network Data\"}"},"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-16T12:42:36.125Z","version":"WzcyNSwyXQ=="} +{"attributes":{"fieldFormatMap":"{\"network.community_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:network.community_id,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(network.community_id:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip.keyword:'{{ value }}')),(term:(destination.ip.keyword:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip.keyword%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip.keyword%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/securityonion/joblookup?esid={{ value }}\",\"labelTemplate\":\"{{ value }}\"}},\"client.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"server.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"Push to TheHive\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"\",\"labelTemplate\":\"Click to create an alert in TheHive\"}},\"event.dataset\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.dataset.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"osquery.result.live_query\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"osquery.result.live_query.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"connection.state_description\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.state_description.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.uuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.uuid,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.uuid:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.lease_time\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.lease_time,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.lease_time:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.query.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }{}\"}},\"dns.query.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.id.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.id.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.ip\"}}},{\"name\":\"client.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.port\"}}},{\"name\":\"client.user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"connection.bytes.missed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.history\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.history.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.local.originator\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.local.responder\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"data.@timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.@timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.@timestamp\"}}},{\"name\":\"data.@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.@version\"}}},{\"name\":\"data._id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._id\"}}},{\"name\":\"data._index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._index\"}}},{\"name\":\"data._type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data._type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data._type\"}}},{\"name\":\"data.agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.ephemeral_id\"}}},{\"name\":\"data.agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.id\"}}},{\"name\":\"data.agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.name\"}}},{\"name\":\"data.agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.type\"}}},{\"name\":\"data.agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.agent.version\"}}},{\"name\":\"data.ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.ecs.version\"}}},{\"name\":\"data.event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.action\"}}},{\"name\":\"data.event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.category\"}}},{\"name\":\"data.event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.created\"}}},{\"name\":\"data.event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.dataset\"}}},{\"name\":\"data.event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.kind\"}}},{\"name\":\"data.event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.module\"}}},{\"name\":\"data.event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.event.provider\"}}},{\"name\":\"data.fields.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.fields.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.fields.module\"}}},{\"name\":\"data.host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.architecture\"}}},{\"name\":\"data.host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.hostname\"}}},{\"name\":\"data.host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.id\"}}},{\"name\":\"data.host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.name\"}}},{\"name\":\"data.host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.build\"}}},{\"name\":\"data.host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.family\"}}},{\"name\":\"data.host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.kernel\"}}},{\"name\":\"data.host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.name\"}}},{\"name\":\"data.host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.platform\"}}},{\"name\":\"data.host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.host.os.version\"}}},{\"name\":\"data.log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.log.level\"}}},{\"name\":\"data.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.message\"}}},{\"name\":\"data.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.module\"}}},{\"name\":\"data.num_hits\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.num_matches\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.command_line\"}}},{\"name\":\"data.process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.entity_id\"}}},{\"name\":\"data.process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.executable\"}}},{\"name\":\"data.process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.command_line\"}}},{\"name\":\"data.process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.entity_id\"}}},{\"name\":\"data.process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.parent.executable\"}}},{\"name\":\"data.process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.description\"}}},{\"name\":\"data.process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.file_version\"}}},{\"name\":\"data.process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.original_file_name\"}}},{\"name\":\"data.process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.pe.product\"}}},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.ppid\"}}},{\"name\":\"data.process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.process.working_directory\"}}},{\"name\":\"data.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tags\"}}},{\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"name\":\"data.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.user.name\"}}},{\"name\":\"data.winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.api\"}}},{\"name\":\"data.winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.channel\"}}},{\"name\":\"data.winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.computer_name\"}}},{\"name\":\"data.winlog.event_data.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.Company\"}}},{\"name\":\"data.winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.Hashes\"}}},{\"name\":\"data.winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.IntegrityLevel\"}}},{\"name\":\"data.winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.LogonGuid\"}}},{\"name\":\"data.winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.LogonId\"}}},{\"name\":\"data.winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.ProcessId\"}}},{\"name\":\"data.winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.RuleName\"}}},{\"name\":\"data.winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.TerminalSessionId\"}}},{\"name\":\"data.winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.event_data.UtcTime\"}}},{\"name\":\"data.winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.opcode\"}}},{\"name\":\"data.winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.provider_guid\"}}},{\"name\":\"data.winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.provider_name\"}}},{\"name\":\"data.winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.task\"}}},{\"name\":\"data.winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.domain\"}}},{\"name\":\"data.winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.identifier\"}}},{\"name\":\"data.winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.name\"}}},{\"name\":\"data.winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.winlog.user.type\"}}},{\"name\":\"data.winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dce_rpc.endpoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.endpoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.named_pipe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.named_pipe.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.ip\"}}},{\"name\":\"destination.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.ip\"}}},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.assigned_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.assigned_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.lease_time\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.message_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.message_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.requested_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.requested_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dnp3.fc_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_request\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_request.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.iin\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.answers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.answers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.answers\"}}},{\"name\":\"dns.authoritative\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.highest_registered_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.highest_registered_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.parent_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.parent_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.class_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.rejected\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.type_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.recursion.available\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.recursion.desired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.reserved\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.response.code_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.subdomain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.subdomain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.top_level_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.truncated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.ttls\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"error.reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.severity_label.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.severity_label\"}}},{\"name\":\"event.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"file.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.aslr\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.missing\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.overflow\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.seen\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.total\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_integrity\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.compile_timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.compile_timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.debug_data\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.dep\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.cutoff\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.extracted.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.flavors.mime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.mime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.mime\"}}},{\"name\":\"file.flavors.yara\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.yara.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.yara\"}}},{\"name\":\"file.is_64bit\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_exe\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.local_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mime_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mimetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mimetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.orig_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.os\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.os.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.resp_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.scanners\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.scanners.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.scanners\"}}},{\"name\":\"file.section_names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.section_names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.seh\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.table.cert\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.export\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.import\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.timed_out\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.times_accessed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_accessed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_changed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_changed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_modified\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_modified.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"file.tree.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.node.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.node\"}}},{\"name\":\"file.tree.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.parent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.parent\"}}},{\"name\":\"file.tree.root\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.root.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.root\"}}},{\"name\":\"ftp.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.data_channel_destination.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_destination.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_destination.ip\"}}},{\"name\":\"ftp.data_channel_destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_passive\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.data_channel_source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.data_channel_source.ip\"}}},{\"name\":\"ftp.password\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.password.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.hassh\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.hassh.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.ja3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3s\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3s.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha256.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha256\"}}},{\"name\":\"hash.ssdeep\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ssdeep.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ssdeep\"}}},{\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.mtime_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.perm_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.size_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"http.info_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.info_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.info_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.proxied\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.proxied.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.referrer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.referrer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.trans_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.virtual_host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.virtual_host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"ingest.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ingest.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"irc.command.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.nickname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.nickname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"kerberos.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.client_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client_certificate_subject\"}}},{\"name\":\"kerberos.error_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.error_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.request_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.request_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.server_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.server_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.server_certificate_subject\"}}},{\"name\":\"kerberos.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.forwardable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.renewable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.valid.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.until\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.until.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.full\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.full.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.id.client_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.client_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.orig_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.orig_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.resp_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.resp_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.server_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.server_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.tunnel_parents\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.tunnel_parents.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.location.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"modbus.exception\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.exception.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.exception\"}}},{\"name\":\"modbus.function\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.function.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"mysql.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.response\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.response.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.rows\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.community_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.data.decoded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.data.decoded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.transport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"notice.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.note.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.p\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice.peer_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.peer_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.sub_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.sub_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.suppress_for\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm.server.dns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.dns.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.nb.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.nb.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.tree.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.tree.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"observer.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"osquery.result.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.calendar_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.calendar_time.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendar_time\"}}},{\"name\":\"osquery.result.codename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.codename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.columns.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.description\"}}},{\"name\":\"osquery.result.columns.directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.directory\"}}},{\"name\":\"osquery.result.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid\"}}},{\"name\":\"osquery.result.columns.gid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.gid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.gid_signed\"}}},{\"name\":\"osquery.result.columns.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.shell\"}}},{\"name\":\"osquery.result.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid\"}}},{\"name\":\"osquery.result.columns.uid_signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uid_signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uid_signed\"}}},{\"name\":\"osquery.result.columns.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.username\"}}},{\"name\":\"osquery.result.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.uuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.uuid\"}}},{\"name\":\"osquery.result.counter\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.endpoint_ip1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.epoch\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.hardware_serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hardware_serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.host_identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.host_identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.host_identifier\"}}},{\"name\":\"osquery.result.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.live_query\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.live_query.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.numerics\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.unix_time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"radius.framed_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.framed_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"rdp.certificate_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_permanent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.certificate_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.client_build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.client_build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.cookie\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.cookie.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.desktop.height\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.desktop.width\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.encryption_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.keyboard_layout\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.keyboard_layout.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.requested_color_depth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.requested_color_depth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.security_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.security_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"request.attributes.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.attributes.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.attributes.filename\"}}},{\"name\":\"request.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.client\"}}},{\"name\":\"request.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.id\"}}},{\"name\":\"request.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.source\"}}},{\"name\":\"request.time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gdpr.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gpg13.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.groups.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hipaa.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.metadata.affected_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.affected_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.attack_target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.attack_target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.created_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.created_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.deployment\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.deployment.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.former_category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.former_category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.malware_family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.malware_family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.performance_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.performance_impact.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.signature_severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.signature_severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.tag\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.tag.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.updated_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.updated_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.nist_800_53.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.pci_dss.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.rev\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.uuid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.exiftool.About\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.About.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.About\"}}},{\"name\":\"scan.exiftool.AppVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.AppVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.AppVersion\"}}},{\"name\":\"scan.exiftool.Author\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Author.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Author\"}}},{\"name\":\"scan.exiftool.BitDepth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BitDepth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BitDepth\"}}},{\"name\":\"scan.exiftool.BuildID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BuildID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BuildID\"}}},{\"name\":\"scan.exiftool.CharCountWithSpaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharCountWithSpaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharCountWithSpaces\"}}},{\"name\":\"scan.exiftool.CharacterSet\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharacterSet.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharacterSet\"}}},{\"name\":\"scan.exiftool.Characters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Characters.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Characters\"}}},{\"name\":\"scan.exiftool.CodePage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodePage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodePage\"}}},{\"name\":\"scan.exiftool.CodeSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodeSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodeSize\"}}},{\"name\":\"scan.exiftool.ColorType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ColorType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ColorType\"}}},{\"name\":\"scan.exiftool.Comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Comments.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Comments\"}}},{\"name\":\"scan.exiftool.CompObjUserType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserType\"}}},{\"name\":\"scan.exiftool.CompObjUserTypeLen\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserTypeLen.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserTypeLen\"}}},{\"name\":\"scan.exiftool.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Company\"}}},{\"name\":\"scan.exiftool.CompanyName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompanyName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompanyName\"}}},{\"name\":\"scan.exiftool.Compression\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Compression.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Compression\"}}},{\"name\":\"scan.exiftool.CreateDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreateDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreateDate\"}}},{\"name\":\"scan.exiftool.Creator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Creator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Creator\"}}},{\"name\":\"scan.exiftool.CreatorTool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreatorTool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreatorTool\"}}},{\"name\":\"scan.exiftool.DerivedFromDocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromDocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromDocumentID\"}}},{\"name\":\"scan.exiftool.DerivedFromInstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromInstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromInstanceID\"}}},{\"name\":\"scan.exiftool.Directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Directory\"}}},{\"name\":\"scan.exiftool.DocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DocumentID\"}}},{\"name\":\"scan.exiftool.EntryPoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.EntryPoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.EntryPoint\"}}},{\"name\":\"scan.exiftool.Error\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Error.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Error\"}}},{\"name\":\"scan.exiftool.ExifToolVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ExifToolVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ExifToolVersion\"}}},{\"name\":\"scan.exiftool.FileAccessDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileAccessDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileAccessDate\"}}},{\"name\":\"scan.exiftool.FileDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileDescription.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileDescription\"}}},{\"name\":\"scan.exiftool.FileFlags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlags\"}}},{\"name\":\"scan.exiftool.FileFlagsMask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlagsMask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlagsMask\"}}},{\"name\":\"scan.exiftool.FileInodeChangeDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileInodeChangeDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileInodeChangeDate\"}}},{\"name\":\"scan.exiftool.FileModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileModifyDate\"}}},{\"name\":\"scan.exiftool.FileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileName\"}}},{\"name\":\"scan.exiftool.FileOS\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileOS.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileOS\"}}},{\"name\":\"scan.exiftool.FilePermissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FilePermissions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FilePermissions\"}}},{\"name\":\"scan.exiftool.FileSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSize\"}}},{\"name\":\"scan.exiftool.FileSubtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSubtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSubtype\"}}},{\"name\":\"scan.exiftool.FileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileType\"}}},{\"name\":\"scan.exiftool.FileTypeExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileTypeExtension.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileTypeExtension\"}}},{\"name\":\"scan.exiftool.FileVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersion\"}}},{\"name\":\"scan.exiftool.FileVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersionNumber\"}}},{\"name\":\"scan.exiftool.Filter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Filter.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Filter\"}}},{\"name\":\"scan.exiftool.Format\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Format.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Format\"}}},{\"name\":\"scan.exiftool.HasXFA\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HasXFA.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HasXFA\"}}},{\"name\":\"scan.exiftool.HeadingPairs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HeadingPairs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HeadingPairs\"}}},{\"name\":\"scan.exiftool.HyperlinksChanged\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HyperlinksChanged.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HyperlinksChanged\"}}},{\"name\":\"scan.exiftool.ImageHeight\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageHeight.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageHeight\"}}},{\"name\":\"scan.exiftool.ImageSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageSize\"}}},{\"name\":\"scan.exiftool.ImageVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageVersion\"}}},{\"name\":\"scan.exiftool.ImageWidth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageWidth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageWidth\"}}},{\"name\":\"scan.exiftool.InitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InitializedDataSize\"}}},{\"name\":\"scan.exiftool.InstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InstanceID\"}}},{\"name\":\"scan.exiftool.Interlace\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Interlace.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Interlace\"}}},{\"name\":\"scan.exiftool.InternalName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InternalName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InternalName\"}}},{\"name\":\"scan.exiftool.Keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Keywords\"}}},{\"name\":\"scan.exiftool.Language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Language\"}}},{\"name\":\"scan.exiftool.LanguageCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LanguageCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LanguageCode\"}}},{\"name\":\"scan.exiftool.LastModifiedBy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LastModifiedBy.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LastModifiedBy\"}}},{\"name\":\"scan.exiftool.LegalCopyright\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalCopyright.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalCopyright\"}}},{\"name\":\"scan.exiftool.LegalTrademarks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalTrademarks.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalTrademarks\"}}},{\"name\":\"scan.exiftool.Linearized\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Linearized.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Linearized\"}}},{\"name\":\"scan.exiftool.Lines\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Lines.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Lines\"}}},{\"name\":\"scan.exiftool.LinkerVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinkerVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinkerVersion\"}}},{\"name\":\"scan.exiftool.LinksUpToDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinksUpToDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinksUpToDate\"}}},{\"name\":\"scan.exiftool.MIMEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MIMEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MIMEType\"}}},{\"name\":\"scan.exiftool.MachineType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MachineType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MachineType\"}}},{\"name\":\"scan.exiftool.Megapixels\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Megapixels.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Megapixels\"}}},{\"name\":\"scan.exiftool.ModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ModifyDate\"}}},{\"name\":\"scan.exiftool.OSVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OSVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OSVersion\"}}},{\"name\":\"scan.exiftool.ObjectFileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ObjectFileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ObjectFileType\"}}},{\"name\":\"scan.exiftool.OriginalFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OriginalFileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OriginalFileName\"}}},{\"name\":\"scan.exiftool.PDFVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PDFVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PDFVersion\"}}},{\"name\":\"scan.exiftool.PEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PEType\"}}},{\"name\":\"scan.exiftool.PTEX_Fullbanner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PTEX_Fullbanner.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PTEX_Fullbanner\"}}},{\"name\":\"scan.exiftool.PageCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PageCount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PageCount\"}}},{\"name\":\"scan.exiftool.Pages\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Pages.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Pages\"}}},{\"name\":\"scan.exiftool.Paragraphs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Paragraphs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Paragraphs\"}}},{\"name\":\"scan.exiftool.PrivateBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PrivateBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PrivateBuild\"}}},{\"name\":\"scan.exiftool.Producer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Producer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Producer\"}}},{\"name\":\"scan.exiftool.ProductName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductName\"}}},{\"name\":\"scan.exiftool.ProductVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersion\"}}},{\"name\":\"scan.exiftool.ProductVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersionNumber\"}}},{\"name\":\"scan.exiftool.RevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.RevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.RevisionNumber\"}}},{\"name\":\"scan.exiftool.ScaleCrop\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ScaleCrop.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ScaleCrop\"}}},{\"name\":\"scan.exiftool.Security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Security.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Security\"}}},{\"name\":\"scan.exiftool.SharedDoc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SharedDoc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SharedDoc\"}}},{\"name\":\"scan.exiftool.Software\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Software.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Software\"}}},{\"name\":\"scan.exiftool.SourceFile\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SourceFile.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SourceFile\"}}},{\"name\":\"scan.exiftool.SpecialBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SpecialBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SpecialBuild\"}}},{\"name\":\"scan.exiftool.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subject\"}}},{\"name\":\"scan.exiftool.Subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subsystem\"}}},{\"name\":\"scan.exiftool.SubsystemVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SubsystemVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SubsystemVersion\"}}},{\"name\":\"scan.exiftool.SvnRevision\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SvnRevision.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SvnRevision\"}}},{\"name\":\"scan.exiftool.Template\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Template.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Template\"}}},{\"name\":\"scan.exiftool.TimeStamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TimeStamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TimeStamp\"}}},{\"name\":\"scan.exiftool.Title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Title\"}}},{\"name\":\"scan.exiftool.TitleOfParts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TitleOfParts.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TitleOfParts\"}}},{\"name\":\"scan.exiftool.TotalEditTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TotalEditTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TotalEditTime\"}}},{\"name\":\"scan.exiftool.Trapped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Trapped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Trapped\"}}},{\"name\":\"scan.exiftool.UninitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.UninitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.UninitializedDataSize\"}}},{\"name\":\"scan.exiftool.Warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Warning\"}}},{\"name\":\"scan.exiftool.Words\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Words.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Words\"}}},{\"name\":\"scan.exiftool.XMPToolkit\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.XMPToolkit.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.XMPToolkit\"}}},{\"name\":\"scan.exiftool.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.header\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.header.header.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.header.header\"}}},{\"name\":\"scan.ini.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ini.keys.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.name\"}}},{\"name\":\"scan.ini.keys.section\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.section.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.section\"}}},{\"name\":\"scan.ini.keys.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.value\"}}},{\"name\":\"scan.ini.sections\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.sections.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.sections\"}}},{\"name\":\"scan.libarchive.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.mmbot.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.mmbot.flags\"}}},{\"name\":\"scan.ocr.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ole.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ole.flags\"}}},{\"name\":\"scan.ole.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.total.streams\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.objects\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.age\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.guid\"}}},{\"name\":\"scan.pe.debug.pdb\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.pdb.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.pdb\"}}},{\"name\":\"scan.pe.debug.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.type\"}}},{\"name\":\"scan.pe.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.file_info.fixed.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.flags\"}}},{\"name\":\"scan.pe.file_info.fixed.operating_systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.operating_systems.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.operating_systems\"}}},{\"name\":\"scan.pe.file_info.fixed.type.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.type.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.type.primary\"}}},{\"name\":\"scan.pe.file_info.string.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.name\"}}},{\"name\":\"scan.pe.file_info.string.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.value\"}}},{\"name\":\"scan.pe.file_info.var.character_set\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.character_set.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.character_set\"}}},{\"name\":\"scan.pe.file_info.var.language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.language\"}}},{\"name\":\"scan.pe.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.flags\"}}},{\"name\":\"scan.pe.header.address.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.data\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.entry_point\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.file\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.section\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.characteristics.dll\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.dll.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.dll\"}}},{\"name\":\"scan.pe.header.characteristics.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.image\"}}},{\"name\":\"scan.pe.header.checksum\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.machine.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.machine.type\"}}},{\"name\":\"scan.pe.header.magic.dos\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.dos.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.dos\"}}},{\"name\":\"scan.pe.header.magic.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.image\"}}},{\"name\":\"scan.pe.header.size.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.initialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.uninitialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.headers\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.subsystem\"}}},{\"name\":\"scan.pe.header.timestamp\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.linker\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.operating_system\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.subsystem\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.imphash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.imphash.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.imphash\"}}},{\"name\":\"scan.pe.resources.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.resources.language.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.primary\"}}},{\"name\":\"scan.pe.resources.language.sub\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.sub.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.sub\"}}},{\"name\":\"scan.pe.resources.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.name\"}}},{\"name\":\"scan.pe.resources.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.type\"}}},{\"name\":\"scan.pe.sections.address.physical\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.address.virtual\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.characteristics\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.characteristics.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.characteristics\"}}},{\"name\":\"scan.pe.sections.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.name\"}}},{\"name\":\"scan.pe.sections.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.exported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.exported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.exported\"}}},{\"name\":\"scan.pe.symbols.imported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.imported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.imported\"}}},{\"name\":\"scan.pe.symbols.libraries\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.libraries.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.libraries\"}}},{\"name\":\"scan.pe.symbols.table.address\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.table.library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.library\"}}},{\"name\":\"scan.pe.symbols.table.symbol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbol\"}}},{\"name\":\"scan.pe.symbols.table.symbols\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbols.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbols\"}}},{\"name\":\"scan.pe.symbols.table.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.type\"}}},{\"name\":\"scan.pe.total.libraries\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.resources\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.sections\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.symbols\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.certificates\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.upx.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.urls\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.url.urls.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.url.urls\"}}},{\"name\":\"scan.vb.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vb.functions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.functions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.functions\"}}},{\"name\":\"scan.vb.names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.names\"}}},{\"name\":\"scan.vb.operators\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.operators.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.operators\"}}},{\"name\":\"scan.vb.strings\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.strings.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.strings\"}}},{\"name\":\"scan.vb.tokens\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.tokens.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.tokens\"}}},{\"name\":\"scan.vba.auto_exec\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.auto_exec.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.auto_exec\"}}},{\"name\":\"scan.vba.base64\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.base64.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.base64\"}}},{\"name\":\"scan.vba.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.ioc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.ioc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.ioc\"}}},{\"name\":\"scan.vba.suspicious\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.suspicious.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.suspicious\"}}},{\"name\":\"scan.vba.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.expired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.fingerprint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.fingerprint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.fingerprint\"}}},{\"name\":\"scan.x509.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.issuer\"}}},{\"name\":\"scan.x509.not_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.not_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.serial_number\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.serial_number.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.serial_number\"}}},{\"name\":\"scan.x509.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.subject\"}}},{\"name\":\"scan.x509.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.namespaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.namespaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.namespaces\"}}},{\"name\":\"scan.xml.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.tags\"}}},{\"name\":\"scan.xml.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.total.tags\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.version\"}}},{\"name\":\"scan.yara.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.yara.matches\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.matches.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.matches\"}}},{\"name\":\"scan.yara.meta.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.identifier\"}}},{\"name\":\"scan.yara.meta.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.rule\"}}},{\"name\":\"scan.yara.meta.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.meta.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.meta.value\"}}},{\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.ip\"}}},{\"name\":\"server.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.port\"}}},{\"name\":\"server.reply_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"sip.call_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.call_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.content_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.request.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.response.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.seq\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.seq.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.transaction.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"smb.file_system\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.file_system.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.share_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.share_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smtp.cc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.cc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.first_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.first_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.helo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.in_reply_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.in_reply_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.is_webmail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.last_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.last_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.mail_date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.message_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.message_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.recipient_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.recipient_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.second_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.second_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.tls\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.transaction_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"snmp.community\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.community.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.display_string\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.display_string.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.get.bulk_requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.responses\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.set.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.up_since\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.up_since.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"socks.bound.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.bound.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.request.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.request.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.version.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.major\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor2\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.unparsed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.unparsed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.ip\"}}},{\"name\":\"source.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.ip\"}}},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.attempts\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.cipher_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.cipher_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.compression_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.compression_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.direction.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.hassh_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.host_key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.kex_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.kex_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.mac_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.mac_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.client.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.last_alert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.last_alert.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.next_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.next_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.validation_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.validation_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"syslog.facility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.facility.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.facility\"}}},{\"name\":\"syslog.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.severity\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"tunnel.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"user.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.gid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.gid\"}}},{\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"user.shell\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.shell.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.shell\"}}},{\"name\":\"user.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.uid\"}}},{\"name\":\"version.minor3\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.notice\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.peer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.peer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.event_data.Address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Address\"}}},{\"name\":\"winlog.event_data.AddressLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AddressLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AddressLength\"}}},{\"name\":\"winlog.event_data.Binary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Binary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Binary\"}}},{\"name\":\"winlog.event_data.BufferSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.BufferSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.BufferSize\"}}},{\"name\":\"winlog.event_data.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Company\"}}},{\"name\":\"winlog.event_data.CreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CreationUtcTime\"}}},{\"name\":\"winlog.event_data.CurrentStratumNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CurrentStratumNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CurrentStratumNumber\"}}},{\"name\":\"winlog.event_data.DeviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceName\"}}},{\"name\":\"winlog.event_data.DeviceNameLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceNameLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceNameLength\"}}},{\"name\":\"winlog.event_data.DeviceTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceTime\"}}},{\"name\":\"winlog.event_data.DeviceVersionMajor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMajor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMajor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMinor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMinor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMinor\"}}},{\"name\":\"winlog.event_data.DomainPeer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DomainPeer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DomainPeer\"}}},{\"name\":\"winlog.event_data.ErrorMessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ErrorMessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ErrorMessage\"}}},{\"name\":\"winlog.event_data.FinalStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.FinalStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FinalStatus\"}}},{\"name\":\"winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Hashes\"}}},{\"name\":\"winlog.event_data.ImageLoaded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ImageLoaded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ImageLoaded\"}}},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.IntegrityLevel\"}}},{\"name\":\"winlog.event_data.Library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Library\"}}},{\"name\":\"winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonGuid\"}}},{\"name\":\"winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonId\"}}},{\"name\":\"winlog.event_data.MaxSystemTimeChangeSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.MaxSystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.MaxSystemTimeChangeSeconds\"}}},{\"name\":\"winlog.event_data.NewTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewTime\"}}},{\"name\":\"winlog.event_data.OldTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.OldTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OldTime\"}}},{\"name\":\"winlog.event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousCreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousCreationUtcTime\"}}},{\"name\":\"winlog.event_data.PreviousTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousTime\"}}},{\"name\":\"winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessId\"}}},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessName\"}}},{\"name\":\"winlog.event_data.QueryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryName\"}}},{\"name\":\"winlog.event_data.QueryResults\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryResults.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryResults\"}}},{\"name\":\"winlog.event_data.QueryStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryStatus\"}}},{\"name\":\"winlog.event_data.Reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Reason\"}}},{\"name\":\"winlog.event_data.RequiredSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RequiredSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RequiredSize\"}}},{\"name\":\"winlog.event_data.RetryMinutes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RetryMinutes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RetryMinutes\"}}},{\"name\":\"winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RuleName\"}}},{\"name\":\"winlog.event_data.Service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Service\"}}},{\"name\":\"winlog.event_data.Signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signature\"}}},{\"name\":\"winlog.event_data.SignatureStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SignatureStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SignatureStatus\"}}},{\"name\":\"winlog.event_data.Signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signed\"}}},{\"name\":\"winlog.event_data.SubjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectDomainName\"}}},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectLogonId\"}}},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectUserSid\"}}},{\"name\":\"winlog.event_data.SystemTimeChangeSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SystemTimeChangeSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SystemTimeChangeSeconds\"}}},{\"name\":\"winlog.event_data.TargetFilename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TargetFilename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TargetFilename\"}}},{\"name\":\"winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TerminalSessionId\"}}},{\"name\":\"winlog.event_data.TimeOffsetSeconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeOffsetSeconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeOffsetSeconds\"}}},{\"name\":\"winlog.event_data.TimeSource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeSource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeSource\"}}},{\"name\":\"winlog.event_data.TimeSourceRefId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TimeSourceRefId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TimeSourceRefId\"}}},{\"name\":\"winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.UtcTime\"}}},{\"name\":\"winlog.event_data.errorCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.errorCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.errorCode\"}}},{\"name\":\"winlog.event_data.param1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param1\"}}},{\"name\":\"winlog.event_data.param2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param2\"}}},{\"name\":\"winlog.event_data.param3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param3\"}}},{\"name\":\"winlog.event_data.param4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param4.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param4\"}}},{\"name\":\"winlog.event_data.param5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param5\"}}},{\"name\":\"winlog.event_data.param6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param6\"}}},{\"name\":\"winlog.event_data.param7\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param7.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param7\"}}},{\"name\":\"winlog.event_data.serviceGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceGuid\"}}},{\"name\":\"winlog.event_data.updateGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateGuid\"}}},{\"name\":\"winlog.event_data.updateRevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateRevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateRevisionNumber\"}}},{\"name\":\"winlog.event_data.updateTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateTitle.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateTitle\"}}},{\"name\":\"winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.keywords\"}}},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.domain\"}}},{\"name\":\"winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.identifier\"}}},{\"name\":\"winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.name\"}}},{\"name\":\"winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.type\"}}},{\"name\":\"winlog.user_data.RebootReasons\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.RebootReasons.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.RebootReasons\"}}},{\"name\":\"winlog.user_data.RmSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.RmSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.RmSessionId\"}}},{\"name\":\"winlog.user_data.UTCStartTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.UTCStartTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.UTCStartTime\"}}},{\"name\":\"winlog.user_data.nApplications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.nApplications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.nApplications\"}}},{\"name\":\"winlog.user_data.xml_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.xml_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.xml_name\"}}},{\"name\":\"winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.basic_constraints.ca\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.exponent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.exponent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.key.algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.key.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.not_valid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.signing_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.signing_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.san_dns\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.san_dns.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}},{\"name\":\"Push to TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'https://PLACEHOLDER/soctopus/thehive/alert/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","timeFieldName":"@timestamp","title":"*:so-*"},"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-16T16:56:13.728Z","version":"Wzg0NCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - All Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - All Logs\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":29}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Logs Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Sender","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Sender\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From\"}}]}"},"id":"7a789740-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Recipient","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Recipient\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"To\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.to.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Recipient\"}}]}"},"id":"a5742950-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzksMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - TLS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - TLS\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.tls: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TLS\"}}]}"},"id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}"},"id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smtp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\"},\"panelIndex\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\"},\"panelIndex\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\"},\"panelIndex\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"d31027fb-a090-474f-9863-712ef30c0b3e\"},\"panelIndex\":\"d31027fb-a090-474f-9863-712ef30c0b3e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\"},\"panelIndex\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\"},\"panelIndex\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\"},\"panelIndex\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":18,\"h\":18,\"i\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\"},\"panelIndex\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":27,\"w\":15,\"h\":18,\"i\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\"},\"panelIndex\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\"},\"panelIndex\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SMTP","version":1},"id":"00304500-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"7a789740-75e7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"a5742950-75e7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzLDFd"} +{"attributes":{"columns":["note","source_ip","destination_ip","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Notices - Logs","version":1},"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e) \\n[Help](/kibana/app/kibana#/dashboard/AV6-POJSDwoBUzALqKAg) \\n\\n**Alert Data** \\n[Bro Notices](/kibana/app/kibana#/dashboard/01600fb0-34e4-11e7-9669-7f1d3242b798) \\n[ElastAlert](/kibana/app/kibana#/dashboard/1d98d620-7dce-11e7-846a-150cdcaf3374) \\n[HIDS](/kibana/app/kibana#/dashboard/0de7a390-3644-11e7-a6f7-4f44d7bf1c33) \\n[NIDS](/kibana/app/kibana#/dashboard/7f27a830-34e5-11e7-9669-7f1d3242b798)   \\n\\n**Bro Hunting** \\n[Connections](/kibana/app/kibana#/dashboard/e0a34b90-34e6-11e7-9118-45bd317f0ca4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/46582d50-3af2-11e7-a83b-b1b4da7d15f4) \\n[DHCP](/kibana/app/kibana#/dashboard/85348270-357b-11e7-ac34-8965f6420c51) \\n[DNP3](/kibana/app/kibana#/dashboard/2fdf5bf0-3581-11e7-98ef-19df58fe538b) \\n[DNS](/kibana/app/kibana#/dashboard/ebf5ec90-34bf-11e7-9b32-bb903919ead9) \\n[Files](/kibana/app/kibana#/dashboard/2d315d80-3582-11e7-98ef-19df58fe538b) \\n[FTP](/kibana/app/kibana#/dashboard/27f3b380-3583-11e7-a588-05992195c551) \\n[HTTP](/kibana/app/kibana#/dashboard/230134a0-34c6-11e7-8360-0b86c90983fd) \\n[Intel](/kibana/app/kibana#/dashboard/468022c0-3583-11e7-a588-05992195c551) \\n[IRC](/kibana/app/kibana#/dashboard/56a34ce0-3583-11e7-a588-05992195c551) \\n[Kerberos](/kibana/app/kibana#/dashboard/6b0d4870-3583-11e7-a588-05992195c551) \\n[Modbus](/kibana/app/kibana#/dashboard/70c005f0-3583-11e7-a588-05992195c551) \\n[MySQL](/kibana/app/kibana#/dashboard/7929f430-3583-11e7-a588-05992195c551) \\n[NTLM](/kibana/app/kibana#/dashboard/022713e0-3ab0-11e7-a83b-b1b4da7d15f4) \\n[PE](/kibana/app/kibana#/dashboard/8a10e380-3583-11e7-a588-05992195c551) \\n[RADIUS](/kibana/app/kibana#/dashboard/90b246c0-3583-11e7-a588-05992195c551) \\n[RDP](/kibana/app/kibana#/dashboard/97f8c3a0-3583-11e7-a588-05992195c551) \\n[RFB](/kibana/app/kibana#/dashboard/9ef20ae0-3583-11e7-a588-05992195c551) \\n[SIP](/kibana/app/kibana#/dashboard/ad3c0830-3583-11e7-a588-05992195c551) \\n[SMB](/kibana/app/kibana#/dashboard/b3a53710-3aaa-11e7-8b17-0d8709b02c80) \\n[SMTP](/kibana/app/kibana#/dashboard/b10a9c60-3583-11e7-a588-05992195c551) \\n[SNMP](/kibana/app/kibana#/dashboard/b65c2710-3583-11e7-a588-05992195c551) \\n[Software](/kibana/app/kibana#/dashboard/c2c99c30-3583-11e7-a588-05992195c551) \\n[SSH](/kibana/app/kibana#/dashboard/c6ccfc00-3583-11e7-a588-05992195c551) \\n[SSL](/kibana/app/kibana#/dashboard/cca67b60-3583-11e7-a588-05992195c551) \\n[Syslog](/kibana/app/kibana#/dashboard/c4bbe040-76b3-11e7-ba96-cba76a1e264d) \\n[Tunnels](/kibana/app/kibana#/dashboard/d7b54ae0-3583-11e7-a588-05992195c551) \\n[Weird](/kibana/app/kibana#/dashboard/de2da250-3583-11e7-a588-05992195c551) \\n[X.509](/kibana/app/kibana#/dashboard/e5aa7170-3583-11e7-a588-05992195c551) \\n\\n**Host Hunting** \\n[Autoruns](/kibana/app/kibana#/dashboard/61d43810-6d62-11e7-8ddb-e71eb260f4a3) \\n[Beats](/kibana/app/kibana#/dashboard/AWBLNS3CRuBloj96jxub) \\n[Osquery](/kibana/app/kibana#/dashboard/9d0e2da0-14e1-11e9-82f7-0da02d93a48b) \\n[OSSEC](/kibana/app/kibana#/dashboard/3a457d70-3583-11e7-a588-05992195c551)  \\n[Sysmon](/kibana/app/kibana#/dashboard/6d189680-6d62-11e7-8ddb-e71eb260f4a3) \\n\\n**Other** \\n[Domain Stats](/kibana/app/kibana#/dashboard/AWAi6wvxAvKNGEbUWO_j) \\n[Firewall](/kibana/app/kibana#/dashboard/50173bd0-3582-11e7-98ef-19df58fe538b) \\n[Frequency](/kibana/app/kibana#/dashboard/AWAi5k4jAvKNGEbUWFis) \\n[Stats](/kibana/app/kibana#/dashboard/130017f0-46ce-11e7-946f-1bfb1be7c36b) \\n[Syslog](/kibana/app/kibana#/dashboard/4323af90-76e5-11e7-ab14-e1a4c1bc11e0)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}"},"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Source IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Source IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"66e26ad0-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Destination IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"7c47b650-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Notice Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}}],\"listeners\":{}}"},"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_mime_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"53c62730-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}"},"id":"793c2640-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notice - Destination Port (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Notice - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Notice - Message/Sub-Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notice - Message/Sub-Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sub_msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sub-Message\"}}],\"listeners\":{}}"},"id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Notices - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG1uC-xQT5EBNmq3dP","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Notices - Notice Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notices - Notice Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Note\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notices - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"1a879c90-4ca5-11e8-888d-71b91451cf05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":136,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":96,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"17\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":160,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"18\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Notices","version":1},"id":"01600fb0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"66e26ad0-3580-11e7-98ef-19df58fe538b","name":"panel_2","type":"visualization"},{"id":"7c47b650-3580-11e7-98ef-19df58fe538b","name":"panel_3","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"53c62730-39ad-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"793c2640-39ad-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"1a879c90-4ca5-11e8-888d-71b91451cf05","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3LDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ntlm\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NTLM - Logs","version":1},"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NTLM - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NTLM - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCEx7xQT5EBNmq4Vf","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname to Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}"},"id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server NetBIOS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server NetBIOS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_nb_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server NetBIOS Name\"}}]}"},"id":"c23ea470-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server DNS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server DNS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_dns_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server DNS Name\"}}]}"},"id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server Tree Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server Tree Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_tree_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Tree Name\"}}]}"},"id":"2a054320-0edd-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":53,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":77,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":24,\"y\":8,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":53,\"w\":16,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":53,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":35,\"y\":32,\"w\":13,\"h\":21,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":22,\"y\":32,\"w\":13,\"h\":21,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":21,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - NTLM","version":1},"id":"022713e0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"panel_2","type":"search"},{"id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCEx7xQT5EBNmq4Vf","name":"panel_8","type":"visualization"},{"id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"c23ea470-0edc-11e9-9846-59f545e7293f","name":"panel_10","type":"visualization"},{"id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","name":"panel_11","type":"visualization"},{"id":"2a054320-0edd-11e9-9846-59f545e7293f","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwLDFd"} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.category:network\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Network Data","version":1},"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"0242ab70-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Files","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Strelka](/kibana/app/kibana#/dashboard/ff689c50-75f3-11ea-9565-7315f4ee5cac) \\n[Zeek](/kibana/app/kibana#/dashboard/ad4d5d60-75f4-11ea-9565-7315f4ee5cac)\"},\"aggs\":[]}"},"id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Log Count Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-29T18:17:18.800Z\",\"max\":\"2020-03-30T18:17:18.800Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modules","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Modules\"}"},"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T13:08:54.117Z","version":"WzczMywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Total Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Total Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.bytes.total: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.bytes.total\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Total Bytes\"}}]}"},"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mime_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.mime_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:file*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\"},\"panelIndex\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":15,\"h\":7,\"i\":\"d09eef70-f2b5-4085-b619-11cae812be58\"},\"panelIndex\":\"d09eef70-f2b5-4085-b619-11cae812be58\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":7,\"i\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\"},\"panelIndex\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":20,\"i\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\"},\"panelIndex\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":7,\"w\":8,\"h\":20,\"i\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\"},\"panelIndex\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":7,\"w\":10,\"h\":20,\"i\":\"7875de58-924b-4b27-bd51-159b5657659f\"},\"panelIndex\":\"7875de58-924b-4b27-bd51-159b5657659f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":7,\"w\":10,\"h\":20,\"i\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\"},\"panelIndex\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":7,\"w\":12,\"h\":20,\"i\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\"},\"panelIndex\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Files","version":1},"id":"0245be10-6ec1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwLDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSL - Logs","version":1},"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Version (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Version (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"02699580-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyLDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_sip\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SIP - Logs","version":1},"id":"9e131480-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_msg.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}"},"id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0LDFd"} +{"attributes":{"columns":["osquery.columns.permissions","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome* AND osquery.columns.permissions:('all_urls','privacy')\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions - Sensitive Permissions","version":1},"id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2LDFd"} +{"attributes":{"columns":["osquery.hostname","osquery.columns.username","osquery.LiveQuery","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions","version":1},"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Changes by Hostname","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.protocol:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Top Network Protocols","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Top Network Protocols\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Transport","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category: network\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\"},\"panelIndex\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":14,\"h\":9,\"i\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\"},\"panelIndex\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":27,\"y\":0,\"w\":21,\"h\":9,\"i\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\"},\"panelIndex\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":13,\"h\":19,\"i\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\"},\"panelIndex\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":12,\"h\":19,\"i\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\"},\"panelIndex\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":19,\"i\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\"},\"panelIndex\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":9,\"w\":11,\"h\":19,\"i\":\"3d3199e1-d839-4738-bc99-e030365b7070\"},\"panelIndex\":\"3d3199e1-d839-4738-bc99-e030365b7070\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Network","version":1},"id":"04ff3ef0-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxLDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"event_type:bro_conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Connections - Logs","version":1},"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Missed Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Missed Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"missed_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Missed Bytes\"}}],\"listeners\":{}}"},"id":"05088150-3670-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.path.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.path.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Path\"}}]}"},"id":"052df440-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - GID/SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - GID/SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"GID\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"SID\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.rev: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.gid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"GID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SID\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.rev\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revision\"}}]}"},"id":"053f7130-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Originator Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Originator Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"original_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2LDFd"} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Logs","version":1},"id":"84116380-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4LDFd"} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ftp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"FTP - Logs","version":1},"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"06f21d60-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Query","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.query.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.query.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query\"}}]}"},"id":"07065340-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - Section","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.section_names.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Section\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - PE - Section\"}"},"id":"07419650-c763-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T12:51:12.564Z","version":"WzczMCwyXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_intel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Intel - Logs","version":1},"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Indicator Type (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Intel - Indicator Type (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Indicator Type\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"indicator_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator Type\"}}]}"},"id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzczLDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_mysql\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"MySQL - Logs","version":1},"id":"5d624230-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_command.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_argument.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - HTTP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SHA256","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SHA256\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.hash.sha256.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.sha256.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc3LDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssh\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSH - Logs","version":1},"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSH - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzc5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Hash - MD5","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Hash - MD5\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.md5.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MD5\"}}]}"},"id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgwLDFd"} +{"attributes":{"columns":["source_ip","syslog-host_from","syslog-priority"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (All) - Logs","version":1},"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Host From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Host From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Host (From)\"}}],\"listeners\":{}}"},"id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgyLDFd"} +{"attributes":{"columns":["host","certificate_subject","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"X.509 - Logs","version":1},"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzgzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_issuer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg0LDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rdp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RDP - Logs","version":1},"id":"823dd600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Certificate Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Certificate Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.certificate_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.certificate_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg3LDFd"} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Logs","version":1},"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query_type_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}"},"id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzg5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"radius.reply_message.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"radius.reply_message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"}}]}"},"id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzkwLDFd"} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:sysmon\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Sysmon","version":1},"id":"6281da80-c780-11ea-bebb-37c5ab5894ea","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-16T16:21:21.064Z","version":"WzgzOSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Sysmon Datasets","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Sysmon Datasets\"}"},"id":"0caa7df0-c781-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"6281da80-c780-11ea-bebb-37c5ab5894ea","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-16T16:26:06.541Z","version":"Wzg0MCwyXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:conn\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Connections","version":1},"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzkxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connections Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date_range\",\"params\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"params\":{},\"label\":\"@timestamp date ranges\",\"aggType\":\"date_range\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"34721460-6ebc-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzkyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzkzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"connection.state.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"State\"}}]}"},"id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Connections - State (Desc)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state_description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection State\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Connections - State (Desc)\"}"},"id":"dc3f2c10-c6d6-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T20:07:50.857Z","version":"WzcwOSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Client Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Client Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Client Bytes\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Bytes\"}}]}"},"id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Bytes\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Bytes\"}}]}"},"id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - History","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - History\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.history.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"History\"}}]}"},"id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk3LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:conn\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\"},\"panelIndex\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":13,\"h\":9,\"i\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\"},\"panelIndex\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":9,\"i\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\"},\"panelIndex\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":11,\"h\":18,\"i\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\"},\"panelIndex\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":11,\"y\":9,\"w\":12,\"h\":18,\"i\":\"5558d00d-f3fd-4051-96a4-384134149228\"},\"panelIndex\":\"5558d00d-f3fd-4051-96a4-384134149228\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":9,\"w\":13,\"h\":18,\"i\":\"ccdbd90c-299e-4e60-a139-1505f1329071\"},\"panelIndex\":\"ccdbd90c-299e-4e60-a139-1505f1329071\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":18,\"i\":\"d678bf2f-f183-4981-9142-976880029daa\"},\"panelIndex\":\"d678bf2f-f183-4981-9142-976880029daa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":19,\"h\":18,\"i\":\"97f0546b-01c5-41c1-9316-099f2b3c8d91\"},\"panelIndex\":\"97f0546b-01c5-41c1-9316-099f2b3c8d91\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":19,\"y\":27,\"w\":9,\"h\":18,\"i\":\"598bda31-1136-4474-9384-451491a71d23\"},\"panelIndex\":\"598bda31-1136-4474-9384-451491a71d23\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":28,\"y\":27,\"w\":9,\"h\":18,\"i\":\"8192def5-399b-4728-8646-edf393b63b7e\"},\"panelIndex\":\"8192def5-399b-4728-8646-edf393b63b7e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":37,\"y\":27,\"w\":11,\"h\":18,\"i\":\"755322ff-13a8-4121-a2db-6322c037e8b3\"},\"panelIndex\":\"755322ff-13a8-4121-a2db-6322c037e8b3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Connections","version":1},"id":"0cc628b0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"34721460-6ebc-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"dc3f2c10-c6d6-11ea-bebb-37c5ab5894ea","name":"panel_7","type":"visualization"},{"id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"},{"id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T20:08:44.243Z","version":"WzcxMCwyXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_modbus\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Modbus - Logs","version":1},"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"Wzk5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Modbus - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwMCwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_weird\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Weird - Logs","version":1},"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over TIme\",\"type\":\"line\"}"},"id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwMiwxXQ=="} +{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[{\"meta\":{\"negate\":false,\"key\":\"tags\",\"value\":\"alert\",\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"tags\":{\"query\":\"alert\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Alerts","version":1},"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Alert Level (Pie Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Alert Level (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"alert_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Alert Level\"}}]}"},"id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG4pcDxQT5EBNmq3pi","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Event Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Event Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Description\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"Username\"}}]}"},"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - User to Escalated User (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - User to Escalated User (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"escalated_user.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Escalated User\"}}]}"},"id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Command (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Command (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Process and Username (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Process and Username (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Process\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExMCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"h\":60,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":28,\"i\":\"6\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"h\":56,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":88},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"h\":28,\"i\":\"13\",\"w\":24,\"x\":8,\"y\":8},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":36},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"gridData\":{\"h\":28,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"spy\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"16\",\"w\":24,\"x\":8,\"y\":36},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"OSSEC Alerts","version":1},"id":"0de7a390-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","name":"panel_2","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_4","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"},{"id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExMSwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_snmp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SNMP - Logs","version":1},"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Alert Data","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Playbook](/kibana/app/kibana#/dashboard/f449f0a0-c77c-11ea-bebb-37c5ab5894ea) \\n[Suricata](/kibana/app/kibana#/dashboard/81057f40-7733-11ea-bee5-af7f7c7b8e05) \\n[Wazuh](/kibana/app/kibana#/dashboard/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n[Zeek](/kibana/app/kibana#/dashboard/fa9ed760-7734-11ea-bee5-af7f7c7b8e05) \\n\"},\"title\":\"Security Onion - Alert Data\"}"},"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-16T15:57:30.488Z","version":"WzgyNCwyXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:alert\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Alerts","version":1},"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzExNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Rule - Name\"}"},"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-16T15:41:34.211Z","version":"WzgwMiwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Severity","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.severity_label.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"title\":\"Security Onion - Rule - Severity\"}"},"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:42:56.387Z","version":"WzgwNywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Category","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Category\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}}]}"},"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyMSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: alert\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Low & Medium Severity\",\"disabled\":true,\"key\":\"event.severity\",\"negate\":false,\"params\":{\"gte\":1,\"lt\":3},\"type\":\"range\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"range\":{\"event.severity\":{\"gte\":1,\"lt\":3}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"High & Critical Severity\",\"disabled\":true,\"key\":\"event.severity\",\"negate\":false,\"params\":{\"gte\":3,\"lt\":5},\"type\":\"range\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"range\":{\"event.severity\":{\"gte\":3,\"lt\":5}}}]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"w\":25,\"x\":23,\"y\":0},\"panelIndex\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"w\":29,\"x\":0,\"y\":8},\"panelIndex\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"w\":19,\"x\":29,\"y\":8},\"panelIndex\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"w\":19,\"x\":0,\"y\":27},\"panelIndex\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"w\":10,\"x\":19,\"y\":27},\"panelIndex\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"w\":10,\"x\":29,\"y\":27},\"panelIndex\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"799598a4-39de-455d-bc39-409466b8b119\",\"w\":9,\"x\":39,\"y\":27},\"panelIndex\":\"799598a4-39de-455d-bc39-409466b8b119\",\"version\":\"7.7.1\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Alerts","version":1},"id":"0e4af1d0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","name":"panel_1","type":"visualization"},{"id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T15:47:02.445Z","version":"WzgxMywyXQ=="} +{"attributes":{"columns":["event_type","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:sysmon\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon - Logs","version":1},"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source Hostname\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Hostname\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.client.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyNSwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Logs","version":1},"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors/Devices - Total Number of Logs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices - Total Number of Logs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}}]}"},"id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Direction","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Direction\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.direction.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.direction.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Direction\"}}]}"},"id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyOCwxXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","message_types","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dhcp\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DHCP - Logs","version":1},"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"1055ada0-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzMCwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dce_rpc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DCE/RPC - Logs","version":1},"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzMiwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_radius\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RADIUS - Logs","version":1},"id":"75545310-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}"},"id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Logstash - Processing Performance","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Processing Performance\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Log Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Average processing time\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Standard Deviation of logstash_time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"customLabel\":\"Average processing time\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"size\":20,\"orderAgg\":{\"id\":\"2-orderAgg\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"orderAgg\",\"params\":{\"field\":\"logstash_time\"}},\"order\":\"desc\",\"orderBy\":\"custom\",\"customLabel\":\"Log Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"std_dev\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzNiwxXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Errors","version":1},"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Logstash - Error Type (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Error Type (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tags.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"\",\"include\":\"_csvparsefailure|_grokparsefailure|_rubyexception\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Avg Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Avg Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"AWDHIynExQT5EBNmq49q","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzEzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Median Processing TIme","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Median Processing TIme\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"median\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"percents\":[50]}}],\"listeners\":{}}"},"id":"AWDHJY1BxQT5EBNmq5Ay","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Max Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Max Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"id":"AWDHJpuBxQT5EBNmq5Cr","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Error Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Error Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHKEF2xQT5EBNmq5FA","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors/Devices and Services","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices and Services\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":12,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":28,\"x\":8,\"y\":36,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":64,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":8,\"h\":64,\"x\":0,\"y\":0,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":88,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":16,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":24,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":12,\"x\":32,\"y\":0,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"w\":28,\"h\":28,\"x\":20,\"y\":36,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Stats","version":1},"id":"130017f0-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","name":"panel_0","type":"visualization"},{"id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","name":"panel_1","type":"visualization"},{"id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","name":"panel_2","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_3","type":"visualization"},{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"panel_4","type":"search"},{"id":"AWDHIynExQT5EBNmq49q","name":"panel_5","type":"visualization"},{"id":"AWDHJY1BxQT5EBNmq5Ay","name":"panel_6","type":"visualization"},{"id":"AWDHJpuBxQT5EBNmq5Cr","name":"panel_7","type":"visualization"},{"id":"AWDHKEF2xQT5EBNmq5FA","name":"panel_8","type":"visualization"},{"id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"1342e630-4632-11e7-9903-85f789353078","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Response Code Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response Code Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - DNS - Response Code Name\"}"},"id":"13cda410-c770-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T14:24:37.072Z","version":"Wzc1NywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}}]}"},"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Connection State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection_state_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection State Description\"}}],\"listeners\":{}}"},"id":"13fe29c0-3b17-11e7-b871-5f76306b9694","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0NywxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rfb\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RFB - Logs","version":1},"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Exclusive Session (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RFB - Exclusive Session (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"share_flag.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"14274040-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE0OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agents","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agents\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.type.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.version.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"id":"14ed9540-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Length (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Length (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_key_length\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Key Length\"}}],\"listeners\":{}}"},"id":"150f7280-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"1563f380-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1MiwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"(event_type:bro_smb_mapping OR event_type:bro_smb_files)\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMB - Logs","version":1},"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Server Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Server Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Address\"}}]}"},"id":"15fa3b30-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"178209e0-6e1b-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"19dfd180-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1NywxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event_type:ids\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NIDS - Alerts","version":1},"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Alert Title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Alert Title\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":12}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"alert.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}}]}"},"id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE1OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Source IP Address","uiStateJSON":"{\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"1b837b00-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Total Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2MiwxXQ=="} +{"attributes":{"columns":["entry","entry_location","image_path","hostname","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:autoruns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Autoruns - Logs","version":1},"id":"dd700830-6d69-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Profile","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Profile\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"profile.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Profile\"}}],\"listeners\":{}}"},"id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"ElastAlert - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Alert Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Alert Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert_info.type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert Type\"}}],\"listeners\":{}}"},"id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Rule","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Rule\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule_name\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Rule\"}}],\"listeners\":{}}"},"id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.source_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3MCwxXQ=="} +{"attributes":{"columns":["rule_name","matches","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"ElastAlert","version":1},"id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Elastalert - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Elastalert - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG7DVRxQT5EBNmq3zM","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3MiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"4\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":48,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"columns\":[\"rule_name\",\"matches\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"ElastAlert","version":1},"id":"1d98d620-7dce-11e7-846a-150cdcaf3374","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","name":"panel_1","type":"visualization"},{"id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","name":"panel_2","type":"visualization"},{"id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_3","type":"visualization"},{"id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_4","type":"visualization"},{"id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_5","type":"visualization"},{"id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_6","type":"visualization"},{"id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_7","type":"search"},{"id":"AWDG7DVRxQT5EBNmq3zM","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"id":"1ef5c230-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.command.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.argument.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Argument\"}}]}"},"id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"id":"214793c0-75b9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Response Code (Name)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rcode_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}"},"id":"22f7de30-4949-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4MCwxXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","resp_fuids","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_http\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"HTTP - Logs","version":1},"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"37f19e40-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Sites","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"\\\"application/x-dosexec\\\"\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Sites Hosting EXEs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - URIs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"id":"ae591c20-4164-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Referrer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"referrer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE4OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - MIME Type (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - MIME Type (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":40},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"resp_mime_types.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"934fe550-6e08-11e7-9370-174c4785d3e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Port (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Country (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG97t7xQT5EBNmq4E1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Status and Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_message.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Status Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"method.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}]}"},"id":"66faa650-4c99-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5NCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":52,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":88,\"w\":48,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":112,\"w\":48,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":0,\"y\":136,\"w\":48,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":216,\"w\":48,\"h\":36,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"resp_fuids\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":0,\"y\":52,\"w\":24,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":24,\"y\":52,\"w\":24,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":0,\"y\":188,\"w\":48,\"h\":28,\"i\":\"16\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":160,\"w\":48,\"h\":28,\"i\":\"17\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"19\",\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":12,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"20\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"23\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"23\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"24\",\"gridData\":{\"x\":8,\"y\":28,\"w\":40,\"h\":24,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - HTTP","version":1},"id":"230134a0-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"37f19e40-34c6-11e7-8360-0b86c90983fd","name":"panel_1","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_2","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_3","type":"visualization"},{"id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","name":"panel_4","type":"visualization"},{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_6","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"ae591c20-4164-11e7-9850-b78558d0ac17","name":"panel_8","type":"visualization"},{"id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","name":"panel_9","type":"visualization"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_10","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_11","type":"visualization"},{"id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"AWDG97t7xQT5EBNmq4E1","name":"panel_13","type":"visualization"},{"id":"66faa650-4c99-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Validation Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}"},"id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Connections - Bytes and Duration","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Bytes and Duration\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Top Total Bytes](/kibana/app/kibana#/dashboard/a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b) \\n[Source - Originator Bytes](/kibana/app/kibana#/dashboard/68f738e0-46ca-11e7-946f-1bfb1be7c36b) | [Destination - Responder Bytes](/kibana/app/kibana#/dashboard/b65775e0-46cb-11e7-946f-1bfb1be7c36b) \\n[Source - Sum of Total Bytes](/kibana/app/kibana#/dashboard/f042ad60-46c6-11e7-946f-1bfb1be7c36b) | [Destination - Sum of Total Bytes](/kibana/app/kibana#/dashboard/ccfcc540-4638-11e7-a82e-d97152153689) \\n[Source - Top Connection Duration](/kibana/app/kibana#/dashboard/4e108070-46c7-11e7-946f-1bfb1be7c36b) | [Destination - Top Connection Duration](/kibana/app/kibana#/dashboard/ea211360-46c4-11e7-a82e-d97152153689)\",\"fontSize\":12,\"openLinksInNewTab\":false},\"aggs\":[]}"},"id":"25ce6eb0-463b-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5NywxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_tunnels\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Tunnels - Logs","version":1},"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzE5OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwMCwxXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (Bro) - Logs","version":1},"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Connections - Service By Destination Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"id":"277f3250-4161-11e7-8493-51634b0a4565","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Result","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"radius.result.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}"},"id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_argument.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"id":"e1907430-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Reply Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Reply Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"reply_message.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply Message\"}}],\"listeners\":{}}"},"id":"adcd38e0-3679-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Reply Code","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Reply Code\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"reply_code.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"a0cb0860-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"cf9e5660-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f1d3d070-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"id":"f9904390-3bff-11e7-be35-e7fc4052ff75","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"FTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9sT_xQT5EBNmq4DI","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":20,\"y\":8,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":32,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - FTP","version":1},"id":"27f3b380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"06f21d60-35b6-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"e1907430-35b6-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"adcd38e0-3679-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"a0cb0860-367a-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"cf9e5660-367a-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"f1d3d070-367a-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"f9904390-3bff-11e7-be35-e7fc4052ff75","name":"panel_7","type":"visualization"},{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"panel_8","type":"search"},{"id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","name":"panel_9","type":"visualization"},{"id":"AWDG9sT_xQT5EBNmq4DI","name":"panel_10","type":"visualization"},{"id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxNCwxXQ=="} +{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Logs","version":1},"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - Machine","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.machine.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Machine\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - PE - Machine\"}"},"id":"282bf2c0-c763-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T12:52:07.788Z","version":"WzczMSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Key Type (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.basic_constraints.ca: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - X.509 - Key Type (Donut)\"}"},"id":"2895c940-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:53:07.934Z","version":"WzgyMCwyXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:http\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - HTTP","version":1},"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Virtual Host","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Virtual Host\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.virtual_host.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Virtual Host\"}}]}"},"id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top Source IPs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top Source IPs\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyMCwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","request_type","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_kerberos\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Kerberos - Logs","version":1},"id":"452daa10-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"CLient\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyMywxXQ=="} +{"attributes":{"columns":["file_ip","destination_ip","source","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_files\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Files - Logs","version":1},"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Target Filename","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Target Filename\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"target_filename.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Filename\"}}],\"listeners\":{}}"},"id":"29611940-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"296823d0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyNywxXQ=="} +{"attributes":{"columns":["action","reason","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:firewall\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Firewall - Logs","version":1},"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Action/Reason (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Action/Reason (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Action\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"reason.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reason\"}}],\"listeners\":{}}"},"id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dhcp.lease_time: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.lease_time\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"id":"2af5f980-96e2-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Client/Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"6571ee10-3584-11e7-a588-05992195c551","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Files By Size (Bytes)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"seen_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}"},"id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}"},"id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - MIME Type (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - MIME Type (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mimetype.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}"},"id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"aa021c90-3678-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Files - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9goqxQT5EBNmq4BP","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}"},"id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzIzOSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"file_ip\",\"destination_ip\",\"source\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"7\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Files","version":1},"id":"2d315d80-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"6571ee10-3584-11e7-a588-05992195c551","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","name":"panel_3","type":"visualization"},{"id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","name":"panel_4","type":"visualization"},{"id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","name":"panel_5","type":"visualization"},{"id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"aa021c90-3678-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"AWDG9goqxQT5EBNmq4BP","name":"panel_8","type":"visualization"},{"id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Request Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Request Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.request_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"}}]}"},"id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Content Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Content Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"content_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"2db47070-3754-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - SAN DNS","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - SAN DNS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.san_dns.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.san_dns.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SAN DNS\"}}]}"},"id":"47f40770-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X509 - Key Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Key Type\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - X509 - Key Type\"}"},"id":"8d4a9990-c77c-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:53:54.857Z","version":"WzgyMSwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:x509\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":8,\"i\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\"},\"panelIndex\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":8,\"i\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\"},\"panelIndex\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\"},\"panelIndex\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":30,\"h\":22,\"i\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\"},\"panelIndex\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":22,\"i\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\"},\"panelIndex\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":30,\"w\":30,\"h\":21,\"i\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\"},\"panelIndex\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":30,\"w\":18,\"h\":21,\"i\":\"e6e39ec1-063a-4e34-a909-4f47397fa79b\"},\"panelIndex\":\"e6e39ec1-063a-4e34-a909-4f47397fa79b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - X509","version":1},"id":"2e0865f0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"47f40770-75ef-11ea-9565-7315f4ee5cac","name":"panel_4","type":"visualization"},{"id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"8d4a9990-c77c-11ea-bebb-37c5ab5894ea","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T15:55:10.553Z","version":"WzgyMiwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.cookie.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.cookie.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Cookie\"}}]}"},"id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Entry","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Entry\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry_location.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry Location\"}}],\"listeners\":{}}"},"id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI0OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:files\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Analyzer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Analyzer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.analyzer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.analyzer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Analyzer\"}}]}"},"id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1MSwxXQ=="} +{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dnp3\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNP3 - Logs","version":1},"id":"c2587840-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNP3 - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"593f1850-3581-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9DWvxQT5EBNmq3-m","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Request","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_request.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request\"}}]}"},"id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_reply.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply\"}}]}"},"id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI1OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":12,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":20,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":32,\"y\":32,\"w\":16,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DNP3","version":1},"id":"2fdf5bf0-3581-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"593f1850-3581-11e7-98ef-19df58fe538b","name":"panel_1","type":"visualization"},{"id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG9DWvxQT5EBNmq3-m","name":"panel_6","type":"visualization"},{"id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Seen (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"Intel - Seen (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"seen_where.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Seen (Where)\"}}]}"},"id":"3013af40-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Authentication Result","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File/Path Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"action.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"id":"306c4330-4175-11e7-a0f7-47f4c03e3306","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}]}"},"id":"3072c750-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Navigation\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Event Category** \\n[Alert](/kibana/app/kibana#/dashboard/0e4af1d0-72ae-11ea-8dd2-9d8795a1200b) | \\n[File](/kibana/app/kibana#/dashboard/0245be10-6ec1-11ea-9266-1fd14ca6af34) |\\n[Host](/kibana/app/kibana#/dashboard/92e63cc0-6ec0-11ea-9266-1fd14ca6af34) | [Network](/kibana/app/kibana#/dashboard/04ff3ef0-6ea4-11ea-9266-1fd14ca6af34) \"},\"aggs\":[]}"},"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2NSwxXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - All Logs","version":1},"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2NiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":8,\"i\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\"},\"panelIndex\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":0,\"w\":16,\"h\":8,\"i\":\"77c5d557-83e4-40b9-9177-388db29d711d\"},\"panelIndex\":\"77c5d557-83e4-40b9-9177-388db29d711d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":8,\"i\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\"},\"panelIndex\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"54873f75-4452-4938-840d-3a2f50547a88\"},\"panelIndex\":\"54873f75-4452-4938-840d-3a2f50547a88\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":13,\"h\":19,\"i\":\"30749cb6-18ad-4069-b18d-5912086fff9c\"},\"panelIndex\":\"30749cb6-18ad-4069-b18d-5912086fff9c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":8,\"w\":13,\"h\":19,\"i\":\"7c498d50-d009-493a-a8c9-c91303ad5556\"},\"panelIndex\":\"7c498d50-d009-493a-a8c9-c91303ad5556\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":19,\"i\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\"},\"panelIndex\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":31,\"i\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\"},\"panelIndex\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Indicator","version":1},"id":"30d0ac90-729f-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"312cd460-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.server_major_version.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"317f8410-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Host Data","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Osquery](/kibana/app/kibana#/dashboard/bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05) \\n[Sysmon](/kibana/app/kibana#/dashboard/32f01e80-c780-11ea-bebb-37c5ab5894ea) \\n[Wazuh](/kibana/app/kibana#/dashboard/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n\"},\"title\":\"Security Onion - Host Data\"}"},"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-16T16:20:30.720Z","version":"WzgzOCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Username\"}"},"id":"767c89f0-af4c-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process CLI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Process CLI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.command_line.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Line\"}}]}"},"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:sysmon\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":16,\"i\":\"a49b6a25-fbb1-45bb-9585-c6ade0fced1f\"},\"panelIndex\":\"a49b6a25-fbb1-45bb-9585-c6ade0fced1f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":12,\"h\":16,\"i\":\"0172c75f-b90b-4bd6-852f-0852a2ace598\"},\"panelIndex\":\"0172c75f-b90b-4bd6-852f-0852a2ace598\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":7,\"w\":24,\"h\":16,\"i\":\"1d246882-3945-4a7e-b602-15ccf3f09310\"},\"panelIndex\":\"1d246882-3945-4a7e-b602-15ccf3f09310\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"db4fa812-32fb-43c8-baa8-e88206cae126\"},\"panelIndex\":\"db4fa812-32fb-43c8-baa8-e88206cae126\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Sysmon","version":1},"id":"32f01e80-c780-11ea-bebb-37c5ab5894ea","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"767c89f0-af4c-11ea-b262-353d451b125b","name":"panel_4","type":"visualization"},{"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"search"}],"type":"dashboard","updated_at":"2020-07-16T16:30:59.797Z","version":"Wzg0MSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Action (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Action (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"},"id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3MywxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_irc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"IRC - Logs","version":1},"id":"344c6010-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Severity (Horizontal Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Severity (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Severity\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"severity.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Severity\"}}],\"listeners\":{}}"},"id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Share Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Share Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.share_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"34762420-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Intel - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Message Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - DHCP - Message Type\"}"},"id":"36200e40-c76b-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T13:49:47.172Z","version":"WzczOCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Change Type\"}}]}"},"id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"id":"3753e110-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - IRC - Command Info","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - IRC - Command Info\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.command.info.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc.command.info.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Info\"}}]}"},"id":"db279540-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - User Command Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - User Command Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.nickname.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Command Type\",\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.username.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.username.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.nickname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.command.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Type\"}}]}"},"id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:irc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"w\":16,\"x\":13,\"y\":0},\"panelIndex\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"w\":8,\"x\":0,\"y\":8},\"panelIndex\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"w\":9,\"x\":8,\"y\":8},\"panelIndex\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"w\":15,\"x\":17,\"y\":8},\"panelIndex\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - IRC","version":1},"id":"38523560-75ba-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db279540-75bb-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary - Drilldown","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary - Drilldown\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4MywxXQ=="} +{"attributes":{"columns":["message"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:ossec_archive\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Archive","version":1},"id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHXl3xQT5EBNmq42U","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":8,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"message\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"OSSEC","version":1},"id":"3a457d70-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_2","type":"search"},{"id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHHXl3xQT5EBNmq42U","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.response.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Image","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Sysmon - Image\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parent_image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Parent Image\"}}]}"},"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Priority (Vertical bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Priority (Vertical bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Priority\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog-priority.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI4OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}]}"},"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.action.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"3e6037d0-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agent - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agent - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Source IP","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Source IP\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}}]}"},"id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5OCwxXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:creation_date AND creation_date:[now-3M TO now]\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Domains with creation date < 3 months","version":1},"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzI5OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Baby Domain Requests","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Baby Domain Requests\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"creation_date\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\"}}],\"listeners\":{}}"},"id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"snmp.community.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"snmp.community.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Community String\"}}]}"},"id":"424ace90-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}"},"id":"42b17660-4a47-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 10 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-sourceip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHKVLMxQT5EBNmq5HX","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":24,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":24,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":60,\"x\":0,\"y\":48,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"syslog-host_from\",\"syslog-priority\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Syslog","version":1},"id":"4323af90-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_1","type":"visualization"},{"id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_2","type":"visualization"},{"id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_3","type":"visualization"},{"id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_4","type":"visualization"},{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"panel_5","type":"search"},{"id":"AWDHKVLMxQT5EBNmq5HX","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"certificate_key_algorithm.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}],\"listeners\":{}}"},"id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Least Common HTTP Methods","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Least Common HTTP Methods\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":13,\"maxFontSize\":39,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"asc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}"},"id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - UserAgent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - UserAgent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"UserAgent\"}}]}"},"id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.uri.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"URI\"}}]}"},"id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:http\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\"},\"panelIndex\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\"},\"panelIndex\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\"},\"panelIndex\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":18,\"i\":\"377e3099-7aec-474c-9201-2f1845c58d24\"},\"panelIndex\":\"377e3099-7aec-474c-9201-2f1845c58d24\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\"},\"panelIndex\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\"},\"panelIndex\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":23,\"h\":18,\"i\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\"},\"panelIndex\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":11,\"h\":18,\"i\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\"},\"panelIndex\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":27,\"w\":10,\"h\":18,\"i\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\"},\"panelIndex\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":18,\"i\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\"},\"panelIndex\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - HTTP","version":1},"id":"44e9c820-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","name":"panel_7","type":"visualization"},{"id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"function.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Function\"}}]}"},"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Category","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Category\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Category\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}]}"},"id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Class (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Query Class (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"query_class_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Class\"}}]}"},"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxNywxXQ=="} +{"attributes":{"columns":["message","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_pe\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"PE - Logs","version":1},"id":"66288140-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - OS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - OS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"os.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.server.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.server.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}}]}"},"id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}"},"id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}"},"id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}"},"id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Round Trip Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}"},"id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG8k4OxQT5EBNmq37a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyOCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DCE/RPC","version":1},"id":"46582d50-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_2","type":"visualization"},{"id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_8","type":"visualization"},{"id":"AWDG8k4OxQT5EBNmq37a","name":"panel_9","type":"visualization"},{"id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"42b17660-4a47-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sources.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}],\"listeners\":{}}"},"id":"613de590-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a5571030-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Indicator","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Indicator\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"indicator.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator\"}}],\"listeners\":{}}"},"id":"6380b430-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"id":"af614b80-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Matched","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"matched.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}"},"id":"c8540380-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Intel - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG-Qf8xQT5EBNmq4G5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzNywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - Intel","version":1},"id":"468022c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"3013af40-399b-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"613de590-399b-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"a5571030-399b-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"6380b430-399c-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"af614b80-399c-11e7-8472-0151e5b2b475","name":"panel_7","type":"visualization"},{"id":"c8540380-399c-11e7-8472-0151e5b2b475","name":"panel_8","type":"visualization"},{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","name":"panel_10","type":"visualization"},{"id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","name":"panel_11","type":"visualization"},{"id":"AWDG-Qf8xQT5EBNmq4G5","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Category","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Autoruns - Category\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Category\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}],\"listeners\":{}}"},"id":"482be9b0-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzMzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.service.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"id":"48331f00-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Request From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Request From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.request.from.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.request.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request From\"}}]}"},"id":"49384710-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.transport:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Network - Transport","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Transport\"}}]}"},"id":"499a0690-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"}}]}"},"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Protocol (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Protocol (Donut Chart)\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Request Type (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Request Type (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"request_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Type\"}}]}"},"id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IPs\"}}]}"},"id":"4adca340-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:google.com~ -highest_registered_domain:google.com AND highest_registered_domain:youtube.com~ -highest_registered_domain:youtube.com AND highest_registered_domain:facebook.com~ -highest_registered_domain:facebook.com AND highest_registered_domain:wikipedia.org~ -highest_registered_domain:wikipedia.org AND highest_registered_domain:google.co.in~ -highest_registered_domain:google.co.in AND highest_registered_domain:reddit.com~ -highest_registered_domain:reddit.com AND highest_registered_domain:amazon.com~ -highest_registered_domain:amazon.com AND highest_registered_domain:taobao.com~ -highest_registered_domain:taobao.com AND highest_registered_domain:twitter.com~ -highest_registered_domain:twitter.com AND highest_registered_domain:google.co.jp~ -highest_registered_domain:google.co.jp AND highest_registered_domain:instagram.com~ -highest_registered_domain:instagram.com AND highest_registered_domain:sina.com.cn~ -highest_registered_domain:sina.com.cn AND highest_registered_domain:google.co.uk~ -highest_registered_domain:google.co.uk AND highest_registered_domain:linkedin.com~ -highest_registered_domain:linkedin.com AND highest_registered_domain:list.tmall.com~ -highest_registered_domain:list.tmall.com AND highest_registered_domain:google.com.br~ -highest_registered_domain:google.com.br AND highest_registered_domain:google.com.hk~ -highest_registered_domain:google.com.hk AND highest_registered_domain:netflix.com~ -highest_registered_domain:netflix.com AND highest_registered_domain:yahoo.co.jp~ -highest_registered_domain:yahoo.co.jp AND highest_registered_domain:pornhub.com~ -highest_registered_domain:pornhub.com AND highest_registered_domain:xvideos.com~ -highest_registered_domain:xvideos.com AND highest_registered_domain:microsoft.com~ -highest_registered_domain:microsoft.com AND highest_registered_domain:livejasmin.com~ -highest_registered_domain:livejasmin.com AND highest_registered_domain:aliexpress.com~ -highest_registered_domain:aliexpress.com AND highest_registered_domain:stackoverflow.com~ -highest_registered_domain:stackoverflow.com AND highest_registered_domain:wordpress.com~ -highest_registered_domain:wordpress.com AND highest_registered_domain:hao123.com~ -highest_registered_domain:hao123.com AND highest_registered_domain:github.com~ -highest_registered_domain:github.com AND highest_registered_domain:amazon.co.jp~ -highest_registered_domain:amazon.co.jp AND highest_registered_domain:blogspot.com~ -highest_registered_domain:blogspot.com AND highest_registered_domain:pinterest.com~ -highest_registered_domain:pinterest.com AND highest_registered_domain:bongacams.com~ -highest_registered_domain:bongacams.com AND highest_registered_domain:google.com.tr~ -highest_registered_domain:google.com.tr AND highest_registered_domain:popads.net~ -highest_registered_domain:popads.net AND highest_registered_domain:paypal.com~ -highest_registered_domain:paypal.com AND highest_registered_domain:office.com~ -highest_registered_domain:office.com AND highest_registered_domain:google.com.tw~ -highest_registered_domain:google.com.tw AND highest_registered_domain:google.com.au~ -highest_registered_domain:google.com.au AND highest_registered_domain:whatsapp.com~ -highest_registered_domain:whatsapp.com AND highest_registered_domain:microsoftonline.com~ -highest_registered_domain:microsoftonline.com\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Alexa Top Sites","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"Edit this to reflect your domain(s)\",\"width\":0.9},\"type\":\"meter\",\"alignment\":\"horizontal\"}},\"title\":\"DNS - Phishing Attempts Against Alexa Top Sites\",\"type\":\"gauge\"}"},"id":"4d89e140-6f09-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Source - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0OCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[14.604847155053898,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Top Connection Duration","version":1},"id":"4e108070-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM0OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Section Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Section Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"section_names.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - IP to MAC Assignment","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"assigned_ip.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"4e877100-4a48-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1MiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":false}","panelsJSON":"[]","timeRestore":false,"title":"OSSEC","version":1},"id":"4f6f3440-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"id":"4fade7b0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"c3a06740-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"df06de60-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM1OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Protocol","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Protocol\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ipv4_protocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Firewall - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHH3kBxQT5EBNmq459","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":60,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":36,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":36,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":16,\"x\":32,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":24,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":60,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"columns\":[\"action\",\"reason\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Firewall","version":1},"id":"50173bd0-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"c3a06740-6d75-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"df06de60-6d75-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","name":"panel_4","type":"visualization"},{"id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","name":"panel_6","type":"visualization"},{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"panel_7","type":"search"},{"id":"AWDHH3kBxQT5EBNmq459","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File Size","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File Size\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.size: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.size\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Size\"}}]}"},"id":"50b4c880-72df-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"524e13b0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.answers.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.answers.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Answer\"}}]}"},"id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"53824da0-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2OCwxXQ=="} +{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_smtp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMTP - Logs","version":1},"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Webmail - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - Webmail - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Webmail\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"is_webmail.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Webmail\"}}],\"listeners\":{}}"},"id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Tree","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Tree\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.server.tree.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.tree.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Tree\"}}]}"},"id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Netbios\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"DNS\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.nb.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NetBIOS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.dns.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"DNS\"}}]}"},"id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3NCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ntlm\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\"},\"panelIndex\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\"},\"panelIndex\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d32748d9-d47b-41bb-ab9f-b59817230998\"},\"panelIndex\":\"d32748d9-d47b-41bb-ab9f-b59817230998\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\"},\"panelIndex\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"4a50def3-c905-4493-b352-59741d68326e\"},\"panelIndex\":\"4a50def3-c905-4493-b352-59741d68326e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":10,\"h\":18,\"i\":\"075d7365-e106-4a1e-b003-bab7abbb7146\"},\"panelIndex\":\"075d7365-e106-4a1e-b003-bab7abbb7146\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":9,\"w\":9,\"h\":18,\"i\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\"},\"panelIndex\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"f93042fa-bdd7-495f-af7b-eec95073e015\"},\"panelIndex\":\"f93042fa-bdd7-495f-af7b-eec95073e015\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - NTLM","version":1},"id":"558292e0-75c1-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Response Code Name (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.response.code_name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - DNS - Response Code Name (Donut)\"}"},"id":"a9bd4090-72b9-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T14:23:44.153Z","version":"Wzc1NiwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dns\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\"},\"panelIndex\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\"},\"panelIndex\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\"},\"panelIndex\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":19,\"i\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\"},\"panelIndex\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":19,\"i\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\"},\"panelIndex\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":8,\"h\":19,\"i\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\"},\"panelIndex\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":26,\"y\":9,\"w\":11,\"h\":19,\"i\":\"499d1548-292c-47a9-8f26-73a6af91d004\"},\"panelIndex\":\"499d1548-292c-47a9-8f26-73a6af91d004\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":37,\"y\":9,\"w\":11,\"h\":19,\"i\":\"f3761ba4-c0d3-4158-9da2-3c7740fcffc3\"},\"panelIndex\":\"f3761ba4-c0d3-4158-9da2-3c7740fcffc3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":21,\"i\":\"e41240ec-8024-4f3f-9de0-869622470e4d\"},\"panelIndex\":\"e41240ec-8024-4f3f-9de0-869622470e4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":21,\"i\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\"},\"panelIndex\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - DNS","version":1},"id":"55ac6bf0-6ec4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"13cda410-c770-11ea-bebb-37c5ab5894ea","name":"panel_6","type":"visualization"},{"id":"a9bd4090-72b9-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"07065340-72ba-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"},{"id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T14:25:34.715Z","version":"Wzc1OCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"IRC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"85b1f890-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"e4615200-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"IRC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_HoKxQT5EBNmq4KN","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.city_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - IRC","version":1},"id":"56a34ce0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"85b1f890-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"e4615200-35b7-11e7-a994-c528746bc6e8","name":"panel_3","type":"visualization"},{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG_HoKxQT5EBNmq4KN","name":"panel_6","type":"visualization"},{"id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"lease_time.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"id":"58c84f60-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Log Count By Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Devices - Log Count By Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Device\"}}]}"},"id":"5b3988c0-a840-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Client Build","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Client Build\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.client_build.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.client_build.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Build\"}}]}"},"id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Security Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Security Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.security_protocol.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.security_protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"id":"dad85840-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM4OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rdp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"w\":16,\"x\":13,\"y\":0},\"panelIndex\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"w\":9,\"x\":0,\"y\":8},\"panelIndex\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"w\":9,\"x\":9,\"y\":8},\"panelIndex\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"w\":7,\"x\":18,\"y\":8},\"panelIndex\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"w\":7,\"x\":25,\"y\":8},\"panelIndex\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"w\":7,\"x\":32,\"y\":8},\"panelIndex\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"w\":9,\"x\":39,\"y\":8},\"panelIndex\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - RDP","version":1},"id":"5b743150-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"dad85840-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Nodes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Nodes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"5cba9760-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Major Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Connection Information","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connect_info.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}"},"id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.executable.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process Image\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Host - Process Name\"}"},"id":"5e18a970-c77f-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T16:18:12.759Z","version":"WzgzNCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"id":"5e36c370-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - FIle Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - FIle Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}"},"id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Data Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Data Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Data Type\"}}],\"listeners\":{}}"},"id":"60925490-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzM5OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Hostname (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":10,\"maxFontSize\":30},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Launch String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Launch String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"launch_string.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Launch String\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}}],\"listeners\":{}}"},"id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Company","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Company\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":36},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"company.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Signer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Signer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"signer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Signer\"}}],\"listeners\":{}}"},"id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Autoruns - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHG1IaxQT5EBNmq4yR","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwNiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":24,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":24,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":24,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":48,\"h\":32,\"x\":0,\"y\":120,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"entry\",\"entry_location\",\"image_path\",\"hostname\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Autoruns","version":1},"id":"61d43810-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"482be9b0-6d78-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHG1IaxQT5EBNmq4yR","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.function.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"modbus.function.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}}]}"},"id":"62449800-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"62969db0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"id":"62ac4060-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"desktop_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}"},"id":"63c072c0-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Rule Signature","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Rule Signature\",\"type\":\"table\",\"params\":{\"perPage\":1,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"rule_signature.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"customLabel\":\"NIDS Signature\"}}]}"},"id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Facility","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Syslog - Facility\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.facility.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.facility.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"}}]}"},"id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.severity.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Syslog - Severity\"}"},"id":"9e1a4240-c77a-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:40:04.068Z","version":"WzgwMCwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:syslog\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\"},\"panelIndex\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\"},\"panelIndex\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\"},\"panelIndex\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":18,\"i\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\"},\"panelIndex\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":18,\"i\":\"16f2046a-4417-4e78-9699-65d253db78cb\"},\"panelIndex\":\"16f2046a-4417-4e78-9699-65d253db78cb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":11,\"h\":18,\"i\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\"},\"panelIndex\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":27,\"y\":8,\"w\":9,\"h\":18,\"i\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\"},\"panelIndex\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":18,\"i\":\"cdad19b0-4f35-4143-8677-0a64a64dbca6\"},\"panelIndex\":\"cdad19b0-4f35-4143-8677-0a64a64dbca6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Syslog","version":1},"id":"66499a20-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"9e1a4240-c77a-11ea-bebb-37c5ab5894ea","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T15:40:57.523Z","version":"WzgwMSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Query/Answer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}"},"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alerts\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors - Sensor and Services (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sensors - Sensor and Services (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}]}"},"id":"73806f30-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP\"}}]}"},"id":"c0de57b0-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyMiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":0,\"i\":\"2\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":120,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":144,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":144,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":180,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":180,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":120,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"18\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"hostname\",\"alert_level\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":204,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"20\",\"gridData\":{\"w\":48,\"h\":12,\"x\":0,\"y\":168,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":144,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"22\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"22\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"24\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\"},{\"panelIndex\":\"26\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":0,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_16\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_17\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_18\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Indicator","version":1},"id":"68563ed0-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"60925490-34bf-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_2","type":"visualization"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_4","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_5","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_6","type":"visualization"},{"id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_8","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_10","type":"search"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_11","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_13","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_14","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_15","type":"visualization"},{"id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","name":"panel_16","type":"visualization"},{"id":"73806f30-4948-11e8-9576-313be7c6b44b","name":"panel_17","type":"visualization"},{"id":"c0de57b0-4948-11e8-9576-313be7c6b44b","name":"panel_18","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"689991b0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyNCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[25.16517336866393,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Originator Bytes","version":1},"id":"68f738e0-46ca-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"snmp.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"id":"690ef880-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Weird - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}"},"id":"691ade50-4c85-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"c97cd4c0-35ba-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"id":"710ccbf0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Success Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Success Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"kerberos_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"b31231c0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"id":"f0178840-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Cipher (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Cipher (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cipher.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}],\"listeners\":{}}"},"id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Renewable","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Renewable\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"renewable.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Renewable\"}}],\"listeners\":{}}"},"id":"bb748470-6e1a-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Kerberos - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_UbkxQT5EBNmq4Lg","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzNiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"request_type\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":96,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":96,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - Kerberos","version":1},"id":"6b0d4870-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"c97cd4c0-35ba-11e7-b9ee-834112670159","name":"panel_1","type":"visualization"},{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"710ccbf0-35bb-11e7-b9ee-834112670159","name":"panel_3","type":"visualization"},{"id":"b31231c0-35bb-11e7-b9ee-834112670159","name":"panel_4","type":"visualization"},{"id":"f0178840-35bb-11e7-b9ee-834112670159","name":"panel_5","type":"visualization"},{"id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","name":"panel_6","type":"visualization"},{"id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_7","type":"visualization"},{"id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_8","type":"visualization"},{"id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_9","type":"visualization"},{"id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","name":"panel_10","type":"visualization"},{"id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","name":"panel_11","type":"visualization"},{"id":"bb748470-6e1a-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDG_UbkxQT5EBNmq4Lg","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination Port","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Sysmon - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Event ID (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Event ID (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Event Type\"}}]}"},"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sysmon - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHk1sxQT5EBNmq43Y","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0NiwxXQ=="} +{"attributes":{"buildNum":29118,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}"},"id":"7.6.1","references":[],"type":"config","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0NywxXQ=="} +{"attributes":{"buildNum":30896,"dashboard:defaultDarkTheme":true,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/kibana#/dashboard/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":"100","theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"\n}"},"id":"7.7.1","references":[],"type":"config","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ0OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - ChromeExt - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":70}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"id":"71538370-18d5-11e9-932c-d12d2cf4ee95","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Total Bytes Per Source/Destination IP Pair","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_term\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connections - Total Bytes Per Source/Destination IP Pair\",\"type\":\"table\"}"},"id":"726cc040-48cf-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}"},"id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Log Type Per Sensor/Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Log Type Per Sensor/Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type\"}}]}"},"id":"733ce440-494d-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Signing Algorithm","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_signing_algorithm.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}]}"},"id":"738127f0-37d7-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Command","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Command\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ftp.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"d3435690-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - User","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"ftp.user.keyword\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/kibana\",\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\"}}},\"label\":\"ftp.user.keyword: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Security Onion - FTP - User\",\"type\":\"table\"}"},"id":"8346bc70-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Password","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Password\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ftp.password.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.password.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Password\"}}]}"},"id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ1OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ftp\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":13,\"h\":19,\"i\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\"},\"panelIndex\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":8,\"w\":17,\"h\":19,\"i\":\"e244437a-17a5-4e00-9176-f4e88ac54938\"},\"panelIndex\":\"e244437a-17a5-4e00-9176-f4e88ac54938\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":22,\"h\":16,\"i\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\"},\"panelIndex\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":27,\"w\":26,\"h\":16,\"i\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\"},\"panelIndex\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - FTP","version":1},"id":"739bfad0-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"d3435690-755f-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8346bc70-7561-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"From\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mail_from.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}"},"id":"73b1b240-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"id":"73f663f0-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:securityonion.net~ -securityonion.net\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Organizational Domain(s)","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"title\":\"DNS - Phishing Attempts Against Organizational Domain(s)\",\"type\":\"gauge\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"gauge\":{\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"Edit this to reflect your domain(s)\",\"fontSize\":60,\"labelColor\":true},\"alignment\":\"horizontal\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"}}],\"listeners\":{}}"},"id":"74861280-6f06-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cookie.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}"},"id":"75597b60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"tunnel.type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"781447d0-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Sensitive Permissions","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Sensitive Permissions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Extension Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.permissions.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Permissions\"}}]}"},"id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"MySQL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHBRrrxQT5EBNmq4TI","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"response.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\"}}]}"},"id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - MySQL","version":1},"id":"7929f430-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHBRrrxQT5EBNmq4TI","name":"panel_4","type":"visualization"},{"id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Name\"}}]}"},"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_http AND _exists_:virtual_host_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Virtual Host Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Virtual Host Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"virtual_host_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Virtual Host\"}}],\"listeners\":{}}"},"id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Authentication Sucess","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Authentication Sucess\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.authentication.success: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.authentication.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Machine","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"machine.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}"},"id":"7de76e10-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:highest_registered_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Highest Registered Domain Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Highest Registered Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"highest_registered_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Alerts Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a6df8820-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"db04aef0-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Severity (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Severity (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"priority.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts By Country (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"NIDS - Alerts By Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG3ym0xQT5EBNmq3mG","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Classification","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Classification\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"classification.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Classification\"}}]}"},"id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4OCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":120,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"8\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":32,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"17\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":44,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"panelIndex\":\"18\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"NIDS","version":1},"id":"7f27a830-34e5-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"a6df8820-399f-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"db04aef0-399f-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_8","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_9","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ4OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"7f7492d0-46c4-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.mac.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC\"}}]}"},"id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Requested Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Requested Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.requested_address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requested Address\"}}]}"},"id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Assigned Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Assigned Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.assigned_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned Address\"}}]}"},"id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dhcp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"7e10f47b-2096-452d-9b40-be150226504f\"},\"panelIndex\":\"7e10f47b-2096-452d-9b40-be150226504f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":10,\"h\":9,\"i\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\"},\"panelIndex\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":9,\"i\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\"},\"panelIndex\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":20,\"i\":\"c5565d1e-719c-4401-b886-1ad84638b855\"},\"panelIndex\":\"c5565d1e-719c-4401-b886-1ad84638b855\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":20,\"i\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\"},\"panelIndex\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":20,\"i\":\"bcba795f-8008-4f91-887d-35b5aff11022\"},\"panelIndex\":\"bcba795f-8008-4f91-887d-35b5aff11022\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":7,\"h\":20,\"i\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\"},\"panelIndex\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":31,\"y\":9,\"w\":17,\"h\":20,\"i\":\"87dce718-7595-4bb0-b1be-b2f51518f026\"},\"panelIndex\":\"87dce718-7595-4bb0-b1be-b2f51518f026\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - DHCP","version":1},"id":"80625c10-96dd-11ea-814e-bb515e873c2c","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_3","type":"visualization"},{"id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_4","type":"visualization"},{"id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_5","type":"visualization"},{"id":"2af5f980-96e2-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"36200e40-c76b-11ea-bebb-37c5ab5894ea","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T13:50:09.463Z","version":"WzczOSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - Subsystem (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Subsystem (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"subsystem.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - Subsytem","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.subsystem.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subsystem\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - PE - Subsytem\"}"},"id":"80a39cb0-c762-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T12:49:05.687Z","version":"WzcyOSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.success: Descending\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"id":"80aa0c60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.uuid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Rule ID\"}}]}"},"id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzQ5OCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:alert AND event.module:suricata\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":8,\"i\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\"},\"panelIndex\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":8,\"i\":\"67961875-85aa-443b-9cac-130c8783cd8d\"},\"panelIndex\":\"67961875-85aa-443b-9cac-130c8783cd8d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\"},\"panelIndex\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":20,\"i\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\"},\"panelIndex\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":20,\"i\":\"2faea405-e4d3-488b-adfa-373b135d2122\"},\"panelIndex\":\"2faea405-e4d3-488b-adfa-373b135d2122\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":20,\"i\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\"},\"panelIndex\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":9,\"h\":20,\"i\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\"},\"panelIndex\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":38,\"y\":28,\"w\":10,\"h\":18,\"i\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\"},\"panelIndex\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":16,\"h\":18,\"i\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\"},\"panelIndex\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":28,\"w\":22,\"h\":18,\"i\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\"},\"panelIndex\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - Alerts - Suricata","version":1},"id":"81057f40-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","name":"panel_7","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T16:34:37.522Z","version":"Wzg0MiwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Response From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Response From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.response.from.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.response.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response From\"}}]}"},"id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"8261cf00-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"community.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}"},"id":"83a91450-4c79-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":true,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-24T15:15:25.819Z\",\"max\":\"2020-03-25T15:15:25.819Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"id":"8491c4b0-6eab-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DHCP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DHCP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG80RwxQT5EBNmq38x","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Message Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Message Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message_types.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Types\"}}]}"},"id":"a88e1020-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Domain Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain Name\"}}]}"},"id":"ce859b40-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwNywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":76,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":21,\"y\":52,\"w\":13,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":8,\"y\":52,\"w\":13,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":25,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":null}}}},\"gridData\":{\"x\":34,\"y\":52,\"w\":14,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":33,\"w\":26,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"x\":34,\"y\":33,\"w\":14,\"h\":19,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Bro - DHCP","version":1},"id":"85348270-357b-11e7-ac34-8965f6420c51","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"1055ada0-3655-11e7-baa7-b7de4ee40605","name":"panel_2","type":"visualization"},{"id":"317f8410-3655-11e7-baa7-b7de4ee40605","name":"panel_3","type":"visualization"},{"id":"AWDG80RwxQT5EBNmq38x","name":"panel_4","type":"visualization"},{"id":"4e877100-4a48-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"58c84f60-0edb-11e9-9846-59f545e7293f","name":"panel_7","type":"visualization"},{"id":"a88e1020-0edb-11e9-9846-59f545e7293f","name":"panel_8","type":"visualization"},{"id":"ce859b40-0edb-11e9-9846-59f545e7293f","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auth.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Status\"}}],\"listeners\":{}}"},"id":"869e3030-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Exception","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Exception\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.exception.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"modbus.exception.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exception\"}}]}"},"id":"93cdb730-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxMSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:modbus\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\"},\"panelIndex\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\"},\"panelIndex\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\"},\"panelIndex\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"b15f438a-6f24-4099-90e6-d66f950029bc\"},\"panelIndex\":\"b15f438a-6f24-4099-90e6-d66f950029bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\"},\"panelIndex\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":14,\"h\":19,\"i\":\"4154e8b1-e314-4623-aaf4-0404a108551a\"},\"panelIndex\":\"4154e8b1-e314-4623-aaf4-0404a108551a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":19,\"i\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\"},\"panelIndex\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Modbus","version":1},"id":"886a7b90-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"62449800-75be-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"93cdb730-75be-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"PE - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCUeZxQT5EBNmq4Xy","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxNCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"fuid\",\"machine\",\"is_exe\",\"is_64bit\",\"subsystem\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Bro - PE","version":1},"id":"8a10e380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","name":"panel_5","type":"visualization"},{"id":"7de76e10-6e1f-11e7-b553-7f80727663c1","name":"panel_6","type":"visualization"},{"id":"AWDHCUeZxQT5EBNmq4Xy","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"8a60eb50-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - HASSH","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - HASSH\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.hassh.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Notice Generated (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Weird - Notice Generated (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Client Build","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Client Build\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"client_build.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client Build\"}}]}"},"id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Files - MIME Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files - MIME Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mimetype.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"file.mimetype.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"id":"8fb3c480-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"All Sensors - Log Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"All Sensors - Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}"},"id":"901bda80-a83f-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RADIUS - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"b0456970-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RADIUS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCgWzxQT5EBNmq4Y5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyOCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"9\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - RADIUS","version":1},"id":"90b246c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_5","type":"visualization"},{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"b0456970-6e1f-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCgWzxQT5EBNmq4Y5","name":"panel_8","type":"visualization"},{"id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Destination Country (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Destination Country (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - ID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.id.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ID\"}}]}"},"id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Agent Name\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzNCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.category:host\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c743998d-d4c5-429f-87ce-67bac2649e72\"},\"panelIndex\":\"c743998d-d4c5-429f-87ce-67bac2649e72\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":15,\"h\":8,\"i\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\"},\"panelIndex\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":8,\"i\":\"8485e0bf-8342-42ff-82b4-eb2611191060\"},\"panelIndex\":\"8485e0bf-8342-42ff-82b4-eb2611191060\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":7,\"h\":18,\"i\":\"ba08df96-10b9-4b30-803f-f40387867ccc\"},\"panelIndex\":\"ba08df96-10b9-4b30-803f-f40387867ccc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":8,\"w\":7,\"h\":18,\"i\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\"},\"panelIndex\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":14,\"y\":8,\"w\":9,\"h\":18,\"i\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\"},\"panelIndex\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":23,\"y\":8,\"w\":25,\"h\":18,\"i\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\"},\"panelIndex\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Host","version":1},"id":"92e63cc0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T16:19:17.868Z","version":"WzgzNiwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"content_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Content Type\"}}],\"listeners\":{}}"},"id":"930b1600-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzNiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:ossec AND event.dataset:alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":12,\"h\":19,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":8,\"w\":11,\"h\":19,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":8,\"w\":7,\"h\":19,\"i\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\"},\"panelIndex\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":8,\"h\":19,\"i\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\"},\"panelIndex\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\"},\"panelIndex\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":21,\"i\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\"},\"panelIndex\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Wazuh","version":1},"id":"9480f190-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total Number of Logs","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}"},"id":"AWDGyaGxxQT5EBNmq3K9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sensors - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"sensor_name.keyword\"}}],\"listeners\":{}}"},"id":"AWDGzmzcxQT5EBNmq3Sj","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzUzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Devices - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"syslog-host_from.keyword\"}}],\"listeners\":{}}"},"id":"AWDG0UDvxQT5EBNmq3WD","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":132,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"19\",\"gridData\":{\"w\":48,\"h\":16,\"x\":0,\"y\":56,\"i\":\"19\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"21\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"21\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":16,\"h\":32,\"x\":32,\"y\":24,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"32\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"32\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"33\",\"gridData\":{\"w\":8,\"h\":16,\"x\":32,\"y\":8,\"i\":\"33\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"34\",\"gridData\":{\"w\":8,\"h\":16,\"x\":40,\"y\":8,\"i\":\"34\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"35\",\"gridData\":{\"w\":16,\"h\":8,\"x\":0,\"y\":72,\"i\":\"35\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"36\",\"gridData\":{\"w\":16,\"h\":8,\"x\":16,\"y\":72,\"i\":\"36\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"37\",\"gridData\":{\"w\":16,\"h\":8,\"x\":32,\"y\":72,\"i\":\"37\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"38\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"38\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"39\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":108,\"i\":\"39\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}},{\"panelIndex\":\"40\",\"gridData\":{\"w\":24,\"h\":28,\"x\":24,\"y\":80,\"i\":\"40\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}},{\"panelIndex\":\"41\",\"gridData\":{\"w\":24,\"h\":28,\"x\":0,\"y\":80,\"i\":\"41\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\"}]","timeRestore":false,"title":"Overview","version":1},"id":"94b52620-342a-11e7-9d52-4f090484f59e","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_1","type":"search"},{"id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","name":"panel_2","type":"visualization"},{"id":"277f3250-4161-11e7-8493-51634b0a4565","name":"panel_3","type":"visualization"},{"id":"901bda80-a83f-11e7-893a-1b88920b2837","name":"panel_4","type":"visualization"},{"id":"5b3988c0-a840-11e7-893a-1b88920b2837","name":"panel_5","type":"visualization"},{"id":"AWDGyaGxxQT5EBNmq3K9","name":"panel_6","type":"visualization"},{"id":"AWDGzmzcxQT5EBNmq3Sj","name":"panel_7","type":"visualization"},{"id":"AWDG0UDvxQT5EBNmq3WD","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_10","type":"visualization"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_11","type":"visualization"},{"id":"733ce440-494d-11e8-9576-313be7c6b44b","name":"panel_12","type":"visualization"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_13","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - OS","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.os.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"OS\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - PE - OS\"}"},"id":"b449a870-c762-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T12:48:53.367Z","version":"WzcyOCwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:pe\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"858c0209-49ab-4c0c-9b9c-bc71e363be32\"},\"panelIndex\":\"858c0209-49ab-4c0c-9b9c-bc71e363be32\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":12,\"h\":9,\"i\":\"94db978d-70ba-4ade-a680-1297961aa832\"},\"panelIndex\":\"94db978d-70ba-4ade-a680-1297961aa832\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":9,\"i\":\"8973a749-ddc9-4476-8946-280e748da61e\"},\"panelIndex\":\"8973a749-ddc9-4476-8946-280e748da61e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":18,\"i\":\"8797e1d3-84b0-4840-9ba3-6e74f15a5f08\"},\"panelIndex\":\"8797e1d3-84b0-4840-9ba3-6e74f15a5f08\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":10,\"y\":9,\"w\":15,\"h\":18,\"i\":\"b9da8481-6781-4431-83de-c51834199de7\"},\"panelIndex\":\"b9da8481-6781-4431-83de-c51834199de7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":10,\"h\":18,\"i\":\"ceba5670-4f26-411e-a19a-e130cf715228\"},\"panelIndex\":\"ceba5670-4f26-411e-a19a-e130cf715228\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"5f1b3a55-7919-448d-897c-fc7166b283d0\"},\"panelIndex\":\"5f1b3a55-7919-448d-897c-fc7166b283d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - PE","version":1},"id":"94b55b90-c761-11ea-bebb-37c5ab5894ea","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"80a39cb0-c762-11ea-bebb-37c5ab5894ea","name":"panel_3","type":"visualization"},{"id":"b449a870-c762-11ea-bebb-37c5ab5894ea","name":"panel_4","type":"visualization"},{"id":"07419650-c763-11ea-bebb-37c5ab5894ea","name":"panel_5","type":"visualization"},{"id":"282bf2c0-c763-11ea-bebb-37c5ab5894ea","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-16T12:52:57.735Z","version":"WzczMiwyXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:snmp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"w\":17,\"x\":13,\"y\":0},\"panelIndex\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"w\":9,\"x\":0,\"y\":8},\"panelIndex\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"w\":10,\"x\":9,\"y\":8},\"panelIndex\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"w\":11,\"x\":19,\"y\":8},\"panelIndex\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - SNMP","version":1},"id":"96522610-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"424ace90-75e9-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"690ef880-75e9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"To\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"recipient_to.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}"},"id":"96767400-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Keyboard Layout (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Keyboard Layout (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"keyboard_layout.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Keyboard Layout\"}}]}"},"id":"be7637c0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Result (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Result (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Result\"}}]}"},"id":"c4f37d70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Encryption Level (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"RDP - Encryption Level (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Encryption Level\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"encryption_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Encryption Level\"}}]}"},"id":"ef307a70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RDP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHCvBexQT5EBNmq4aK","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU0OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":12,\"h\":12,\"x\":36,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":12,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":16,\"h\":12,\"x\":20,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - RDP","version":1},"id":"97f8c3a0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"19dfd180-371c-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"524e13b0-371c-11e7-90f8-87842d5eedc9","name":"panel_6","type":"visualization"},{"id":"75597b60-371c-11e7-90f8-87842d5eedc9","name":"panel_7","type":"visualization"},{"id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","name":"panel_8","type":"visualization"},{"id":"be7637c0-371c-11e7-90f8-87842d5eedc9","name":"panel_9","type":"visualization"},{"id":"c4f37d70-6e20-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"ef307a70-6e20-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"AWDHCvBexQT5EBNmq4aK","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"9a54f150-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1MiwxXQ=="} +{"attributes":{"columns":["source_ip","name","software_type"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_software\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Software - Logs","version":1},"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.4.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Software - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Software - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_major.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_minor.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"software_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}]}"},"id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.note.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice\"}}]}"},"id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"meta\":{\"negate\":true,\"disabled\":true,\"alias\":\"Initial Systems/Queries\",\"type\":\"phrase\",\"key\":\"osquery.counter\",\"value\":\"0\",\"params\":{\"query\":0,\"type\":\"phrase\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"type\":\"phrases\",\"key\":\"osquery.codename\",\"value\":\"server\",\"params\":[\"server\"],\"negate\":false,\"disabled\":true,\"alias\":\"Servers Only\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"osquery.codename\":\"server\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"columns\":[\"osquery.hostname\",\"osquery.name\",\"osquery.LiveQuery\",\"osquery.EndpointIP1\",\"osquery.EndpointIP2\"]},\"gridData\":{\"x\":8,\"y\":27,\"w\":40,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":13,\"i\":\"12\"},\"panelIndex\":\"12\",\"title\":\"\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"x\":8,\"y\":13,\"w\":40,\"h\":14,\"i\":\"13\"},\"version\":\"7.3.0\",\"panelIndex\":\"13\",\"embeddableConfig\":{},\"title\":\"Changes by Type\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":13,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelIndex\":\"14\",\"embeddableConfig\":{},\"title\":\"Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"osquery - Overview","version":1},"id":"9d0e2da0-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"panel_1","type":"search"},{"id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","name":"panel_2","type":"visualization"},{"id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","name":"panel_3","type":"visualization"},{"id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}"},"id":"9d3413c0-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ssh\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\"},\"panelIndex\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\"},\"panelIndex\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\"},\"panelIndex\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\"},\"panelIndex\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\"},\"panelIndex\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":13,\"h\":19,\"i\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\"},\"panelIndex\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":8,\"w\":15,\"h\":19,\"i\":\"ff324073-699d-4b26-b4fd-28190fa3803b\"},\"panelIndex\":\"ff324073-699d-4b26-b4fd-28190fa3803b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":17,\"h\":18,\"i\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\"},\"panelIndex\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":27,\"w\":16,\"h\":18,\"i\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\"},\"panelIndex\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"6711f807-284e-4025-99bb-cee25c0e970d\"},\"panelIndex\":\"6711f807-284e-4025-99bb-cee25c0e970d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SSH","version":1},"id":"9dfd77e0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.endpoint.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}}]}"},"id":"a427d6e0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU1OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.named_pipe.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Named Pipe\"}}]}"},"id":"c2f21270-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.operation.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}"},"id":"df7989f0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dce_rpc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\"},\"panelIndex\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\"},\"panelIndex\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\"},\"panelIndex\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":21,\"i\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\"},\"panelIndex\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":21,\"i\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\"},\"panelIndex\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":21,\"i\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\"},\"panelIndex\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":9,\"w\":8,\"h\":21,\"i\":\"ee61c32f-e801-494f-a819-b5788bed856f\"},\"panelIndex\":\"ee61c32f-e801-494f-a819-b5788bed856f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":21,\"i\":\"f7c23591-431c-4a4c-a69b-a349c37697da\"},\"panelIndex\":\"f7c23591-431c-4a4c-a69b-a349c37697da\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - DCE/RPC","version":1},"id":"9e882df0-72c5-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"a427d6e0-96db-11ea-814e-bb515e873c2c","name":"panel_5","type":"visualization"},{"id":"c2f21270-96db-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"df7989f0-96db-11ea-814e-bb515e873c2c","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2MiwxXQ=="} +{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Osquery","version":1},"id":"9eed5fc0-afcb-11ea-b262-353d451b125b","migrationVersion":{"search":"7.4.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Method\"}}],\"listeners\":{}}"},"id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"d6ec3570-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"e8982270-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"id":"c24191f0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RFB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHC8iGxQT5EBNmq4bs","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU2OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"6\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":80,\"i\":\"14\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"15\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":80,\"i\":\"15\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":20,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - RFB","version":1},"id":"9ef20ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"869e3030-371e-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"14274040-371f-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"63c072c0-371f-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"d6ec3570-6e21-11e7-b553-7f80727663c1","name":"panel_8","type":"visualization"},{"id":"e8982270-6e21-11e7-b553-7f80727663c1","name":"panel_9","type":"visualization"},{"id":"4fade7b0-6e22-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"c24191f0-6e22-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDHC8iGxQT5EBNmq4bs","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.content_type.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.content_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Help","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"## Introduction\\nWelcome to the Security Onion Elastic Stack! This is our implementation of the Elastic Stack on Security Onion. The Elastic Stack consists of three primary components:\\n- `Elasticsearch` - stores logs\\n- `Logstash` - collects and enriches logs before storing them in Elasticsearch\\n- `Kibana` - web interface for visualizing logs\\n\\n## Sidebar\\nStarting on the far left side of the page, you see the Sidebar. This contains links such as:\\n- `Discover` - search data\\n- `Visualize` - create visualizations based on searches\\n- `Dashboard` - view or create dashboards based on visualizations\\n- `Timelion` - timeline analysis\\n- `Dev Tools` - query Elasticsearch directly\\n- `Management` - view or modify Kibana settings\\n- `Squert` - separate web interface for viewing NIDS and HIDS alerts\\n- `Logout` - log out of your session\\n\\nThe first six of those links are within Kibana itself. If you click one of those and then want to get back to the Dashboards area where you started, simply click the `Dashboard` link.\\n\\nClicking the `Squert` link will take you out of Kibana and into Squert. You will not be required to authenticate to Squert since you already have an active Single Sign On (SSO) session.\\n\\nClicking the `Logout` link in either Squert or Kibana will log you out of your SSO session and take you back to the logon screen.\\n\\n## Navigation Panel\\nWhen you are in the Kibana Dashboard area, the panel to the immediate right of the sidebar is the Navigation Panel and it includes links to our dashboards such as Home, Help (this page), Bro Notices, ElastAlert, HIDS, NIDS, etc. Clicking one of the links in the Navigation Panel will take you to a dashboard dedicated to that particular log type. \\n\\n## Dashboards\\nAll dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\n### Dashboard Hyperlinks\\n\\nThe `source_ip` and `destination_ip` fields are hyperlinked. These hyperlinks will take you to the Indicator dashboard which will help you analyze the traffic relating to that particular IP address.\\n\\n`UID` fields are also hyperlinked. This hyperlink will start a new Kibana search for that particular UID. In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an `_id` field that is hyperlinked. This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type. This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log. \\n\\n### Overview Dashboard\\nWhen you first go to the Kibana Dashboard area, you are automatically placed into the Overview dashboard, where you will see overview information, such as total number of logs and sensors. Use the information on the Overview dashboard to determine which of the other dashboards on the Navigation Panel you might want to visit next.\\n\\n### Dashboard Categories\\nOur remaining dashboards are grouped into a few categories:\\n- `Alert Data` - dashboards that display alerts created by rules or signatures\\n- `Bro Hunting` - dashboards that allow you to slice and dice network metadata for hunting\\n- `Host Hunting` - dashboards that allow you to hunt via host telemetry\\n- `Other` - dashboards that don't fit into the categories above\\n\\n### Bro Notices\\nBro sniffs network traffic and generates notices such as `SSL::Invalid Server Cert` and `TeamCymruMalwareHashRegistry::Match`.\\n\\n### ElastAlert\\nElastAlert queries Elasticsearch on a regular basis and then generates alerts based on your desired criteria. Security Onion includes two example rules that alert on new IDS events and new connection logs. You can add your own ElastAlert rules in `/etc/elastalert/rules/`.\\n\\n### HIDS\\nOSSEC analyzes log files and generates Host Intrusion Detection System alerts based on its ruleset at `/var/ossec/rules/`. You can add your own rules in `/var/ossec/rules/local_rules.xml`.\\n\\n### NIDS\\nSecurity Onion can use either Snort or Suricata to sniff network traffic and generate Network Intrusion Detection System alerts. \\n\\n### Connections\\nBro sniffs network traffic and logs connection metadata including source IP/port, destination IP/port, protocol, and number of bytes.\\n\\n### DCE/RPC\\nBro sniffs network traffic and logs DCE/RPC metadata including source IP/port, destination IP/port, operation, endpoint, and named pipe.\\n\\n### DHCP\\nBro sniffs network traffic and logs DHCP requests and responses including source IP/port, destination IP/port, and MAC addresses.\\n\\n### DNP3\\nBro sniffs network traffic and logs DNP3 metadata including source IP/port, destination IP/port, function request, function reply.\\n\\n### DNS\\nBro sniffs network traffic and logs DNS queries and answers. Bro also includes other name lookups such as Windows NetBIOS name service requests and Bonjour.\\n\\n### Files\\nBro sniffs network traffic and logs metadata related to files being transferred over the network including IP addresses, MIME type, source, and checksums.\\n\\n### FTP\\nBro sniffs network traffic and logs FTP metadata including source IP/port, destination IP/port, command, reply code, argument, and username.\\n\\n### HTTP\\nBro sniffs network traffic and logs HTTP metadata including source IP/port, destination IP/port, method, status message, MIME type, site name, referer, and user agent.\\n\\n### Intel\\nBro sniffs network traffic and watches for indicators using the Intel framework. You can add your own indicators to `/opt/bro/share/bro/intel/intel.dat`.\\n\\n### IRC\\nBro sniffs network traffic and logs IRC metadata including source IP/port, destination IP/port, command, and username.\\n\\n### Kerberos\\nBro sniffs network traffic and logs Kerberos metadata including source IP/port, destination IP/port, cipher, client, server, service, request type, and success status.\\n\\n### Modbus\\nBro sniffs network traffic and logs Modbus metadata including source IP/port, destination IP/port, and function.\\n\\n### MySQL\\nBro sniffs network traffic and logs MySQL metadata including source IP/port, destination IP/port, command/argument, status, and response.\\n\\n### NTLM\\nBro sniffs network traffic and logs NTLM metadata including source IP/port, destination IP/port, hostname, username, and status.\\n\\n### PE\\nBro sniffs network traffic and logs PE metadata including OS, subsystem, machine, and section name.\\n\\n### RADIUS\\nBro sniffs network traffic and logs RADIUS metadata including source IP/port, destination IP/port, username, and result.\\n\\n### RDP\\nBro sniffs network traffic and logs RDP metadata including source IP/port, destination IP/port, client build, keyboard layout, encryption level, and result.\\n\\n### RFB\\nBro sniffs network traffic and logs RFB metadata including source IP/port, destination IP/port, authentication method, authentication status, client version, server version, and desktop name.\\n\\n### SIP\\nBro sniffs network traffic and logs SIP metadata including source IP/port, destination IP/port, method, content type, status, uri, and user agent.\\n\\n### SMB\\nBro sniffs network traffic and logs SMB metadata including source IP/port, destination IP/port, file name, and action.\\n\\n### SMTP\\nBro sniffs network traffic and logs SMTP metadata including source IP/port, destination IP/port, from, to, subject, and user agent.\\n\\n### SNMP\\nBro sniffs network traffic and logs SNMP metadata including source IP/port, destination IP/port, version, community, and duration.\\n\\n### Software\\nBro sniffs network traffic and logs metadata relating to the kinds of software that generated that traffic including name, type, and version.\\n\\n### SSH\\nBro sniffs network traffic and logs SSH metadata including source IP/port, destination IP/port, client version, server version, and success.\\n\\n### SSL\\nBro sniffs network traffic and logs SSL metadata including source IP/port, destination IP/port, server name, certificate subject, cipher, and validation status.\\n\\n### Syslog\\nBro sniffs network traffic and logs Syslog metadata including source IP/port, destination IP/port, severity, and protocol.\\n\\n### Tunnels\\nBro sniffs network traffic and detects IP, GRE, SOCKS, TEREDO, and AVAYA tunnels. It logs metadata including source IP/port, destination IP/port, type, and action.\\n\\n### Weird\\nBro sniffs network traffic and logs protocol anomalies metadata including source IP/port, destination IP/port, and the type of anomaly.\\n\\n### X.509\\nBro sniffs network traffic and logs X.509 metadata including certificate subject, issuer, key algorithm, key length, and signing algorithm.\\n\\n### Autoruns\\nSysinternals Autoruns can identify the processes which Windows is configured to automatically run. Autoruns data can then be ingested via [Autoruns To WinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog).\\n\\n### Beats\\nElastic Beats can be deployed on endpoints to collect host telemetry and send to Logstash for storage in Elasticsearch.\\n\\n### OSSEC\\nOSSEC agents can be deployed on endpoints to collect host telemetry and send to the OSSEC Server included in Security Onion. OSSEC Alerts can be found in the Alert Data category at the top of the Navigation Panel. This OSSEC hunting dashboard will allow you to hunt through all OSSEC logs, not just alerts.\\n\\n### Sysmon\\nSysinternal Sysmon provides comprehensive telemetry for Windows hosts. Its logs can be consumed using Beats, OSSEC, or other transport mechanism.\\n\\n### Domain Stats\\nSecurity Onion includes a tool called domain_stats which will do a whois lookup on a domain name to determine the age of the domain. If enabled, this dashboard looks for baby domains that have been recently registered. Please note that domain_stats is only enabled when running in Evaluation Mode.\\n\\n### Firewall\\nFirewall logs can be consumed via syslog or other transport mechanism. Once consumed, this dashboard allows you to slice and dice those firewall logs based on source IP/port, destination IP/port, protocol, and action.\\n\\n### Frequency\\nSecurity Onion includes a tool called freq_server which can perform frequency analysis of hostnames. If enabled, this dashboard will show hostnames with a frequency analysis score that indicates that they could have been randomly generated. Please note that freq_server is only enabled when running in Evaluation Mode.\\n\\n### Stats\\nThis dashboard shows statistics for Logstash including processing times for different log types and any errors that may have occurred.\\n\\n## More Information\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/docs/Elastic\",\"type\":\"markdown\"},\"aggs\":[]}"},"id":"AV6-PHKnDwoBUzALqJ_c","migrationVersion":{"visualization":"7.7.0"},"references":[],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3MiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":204,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Help","version":1},"id":"AV6-POJSDwoBUzALqKAg","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"AV6-PHKnDwoBUzALqJ_c","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Issuer Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Issuer Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Common Name\"}}],\"listeners\":{}}"},"id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:server_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Server Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Server Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"server_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}}],\"listeners\":{}}"},"id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_organization_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Organization Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Organization Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_organization_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_organization.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Organization\"}}],\"listeners\":{}}"},"id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:parent_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Parent Domain Frequency Analysis","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"DNS - Parent Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"parent_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU3OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":52,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":76,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":76,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":100,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":100,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":124,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":124,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":52,\"x\":0,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":80,\"x\":0,\"y\":148,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":40,\"h\":28,\"x\":8,\"y\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}]","timeRestore":false,"title":"Frequency Analysis","version":1},"id":"AWAi5k4jAvKNGEbUWFis","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","name":"panel_0","type":"visualization"},{"id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","name":"panel_1","type":"visualization"},{"id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","name":"panel_2","type":"visualization"},{"id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","name":"panel_3","type":"visualization"},{"id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","name":"panel_4","type":"visualization"},{"id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_5","type":"visualization"},{"id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","name":"panel_6","type":"visualization"},{"id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_7","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_8","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_9","type":"search"},{"id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":40,\"h\":48,\"x\":8,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":48,\"h\":36,\"x\":0,\"y\":48,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"]}}]","timeRestore":false,"title":"Baby Domains","version":1},"id":"AWAi6wvxAvKNGEbUWO_j","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"panel_2","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4MSwxXQ=="} +{"attributes":{"fieldFormatMap":"{\"process_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"event_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.error.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.a0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.acct\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.item\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.items\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.record_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.res\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AlgorithmName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AuthenticationPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Configuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ConfigurationFileHash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CurrentDirectory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DirtyPages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ElevatedToken\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EventType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoString\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FilterID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hashes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImagePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImpersonationLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IntegrityLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyFilePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeysUpdated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LmPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentCommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentImage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PrivilegeList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProviderName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.RestrictedAdminMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ReturnCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SchemaVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceHostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourcePort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.StartType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.State\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetFilename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLinkedLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetObject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TerminalSessionId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransmittedServices\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.UtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.VirtualAccount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Workstation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WorkstationName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.debug.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.main.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.startup.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.trace.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.pod.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.log.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.plugin_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.took_in_millis\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.took_in_nanos\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.machine_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.project_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.error.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.lock_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_examined\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_sent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.timestamp\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.connection_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.database\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"postgresql.log.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"read_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"redis.log.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.role\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.duration.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related_activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"stream\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.dropped_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.home\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.uid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.backend_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.frontend_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.request_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryData\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryDataSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.xml_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xml\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-beats-*"},"id":"AWBLHZaBRuBloj96jvrD","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4MiwxXQ=="} +{"attributes":{"columns":["computer_name","process_id","user.name","event_id","event_data.Image"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Beats Logs","version":1},"id":"AWBLMr9vRuBloj96jxp1","migrationVersion":{"search":"7.4.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Process IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Process IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLN7X2RuBloj96jxxY","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Computer Names","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Computer Names\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"computer_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLNriuRuBloj96jxv3","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Event IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Event IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLOT8MRuBloj96jx0N","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Usernames","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"Beats - Usernames\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"AWBLONJCRuBloj96jxzY","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Beats - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"AWBLQ2__RuBloj96jyDn","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"match_all\":{}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Beats - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHHHR8xQT5EBNmq4z7","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU4OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":44,\"x\":0,\"y\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"computer_name\",\"process_id\",\"user.name\",\"event_id\",\"event_data.Image\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"2\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"2\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Beats","version":1},"id":"AWBLNS3CRuBloj96jxub","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"AWBLMr9vRuBloj96jxp1","name":"panel_0","type":"search"},{"id":"AWBLNriuRuBloj96jxv3","name":"panel_1","type":"visualization"},{"id":"AWBLN7X2RuBloj96jxxY","name":"panel_2","type":"visualization"},{"id":"AWBLOT8MRuBloj96jx0N","name":"panel_3","type":"visualization"},{"id":"AWBLONJCRuBloj96jxzY","name":"panel_4","type":"visualization"},{"id":"AWBLQ2__RuBloj96jyDn","name":"panel_5","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_6","type":"visualization"},{"id":"AWDHHHR8xQT5EBNmq4z7","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Connections - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG71xFxQT5EBNmq336","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG9Qx0xQT5EBNmq3_2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHD-LfxQT5EBNmq4iB","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SIP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDNS4xQT5EBNmq4dF","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDfDkxQT5EBNmq4fQ","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHDsr0xQT5EBNmq4gw","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHE-_wxQT5EBNmq4n3","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Software - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHEKJUxQT5EBNmq4jW","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSH - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHEYk4xQT5EBNmq4k5","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzU5OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHElRWxQT5EBNmq4lz","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Tunnels - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHFYrqxQT5EBNmq4qT","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Weird - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHGXk-xQT5EBNmq4uf","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"X.509 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDHGklsxQT5EBNmq4wG","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Connection","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}}],\"listeners\":{}}"},"id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Destination Port\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Port\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Max total_bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwNSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination IP","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"title\":\"Connections - Top 10 - Total Bytes By Destination IP\",\"type\":\"histogram\"}"},"id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwNiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":71,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":20,\"h\":18,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":18,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":18,\"w\":20,\"h\":20,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":38,\"w\":40,\"h\":33,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"gridData\":{\"x\":28,\"y\":18,\"w\":20,\"h\":20,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Connections - Total Bytes","version":1},"id":"a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_1","type":"visualization"},{"id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_2","type":"visualization"},{"id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","name":"panel_3","type":"visualization"},{"id":"726cc040-48cf-11e8-9576-313be7c6b44b","name":"panel_4","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"a663e070-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYwOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - Request - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - Request - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"request.client.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Data Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Data Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":false,\"last_level\":false,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"url\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"observer.name:* OR agent.name:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count By Node ","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Log Count By Node \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"observer.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"observer.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Node\"}}]}"},"id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"w\":17,\"x\":9,\"y\":0},\"panelIndex\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"126f5365-8829-469d-8349-a08874975584\",\"w\":22,\"x\":26,\"y\":0},\"panelIndex\":\"126f5365-8829-469d-8349-a08874975584\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"w\":22,\"x\":0,\"y\":8},\"panelIndex\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"w\":9,\"x\":22,\"y\":8},\"panelIndex\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"w\":8,\"x\":31,\"y\":8},\"panelIndex\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":26,\"i\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"w\":9,\"x\":39,\"y\":8},\"panelIndex\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Home","version":1},"id":"a8411b30-6d03-11ea-b301-3d6c35840645","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Query Results Count","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Results\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.hostname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.live_query.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Live Query Pivot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.result.endpoint_ip1.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint Primary IP\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"title\":\"Security Onion - Osquery - Query Results Count\"}"},"id":"ab47a590-afcc-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9eed5fc0-afcb-11ea-b262-353d451b125b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"version\":\"7.6.1\",\"panelRefName\":\"panel_0\"}]","timeRestore":false,"title":"Security Onion - Users","version":1},"id":"abbe1140-72c7-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset By Node","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset By Node\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"id":"abffa080-6ec9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f5166880-374f-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Request Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request_path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}"},"id":"dddb4430-3752-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYxOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyMCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":72,\"w\":16,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":16,\"y\":72,\"w\":16,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":20,\"y\":8,\"w\":12,\"h\":16,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":0,\"y\":96,\"w\":48,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":20,\"y\":48,\"w\":28,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":32,\"y\":24,\"w\":16,\"h\":24,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":48,\"w\":20,\"h\":24,\"i\":\"15\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"16\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":16,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}},{\"panelIndex\":\"17\",\"gridData\":{\"x\":0,\"y\":120,\"w\":48,\"h\":30,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"18\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":16,\"i\":\"18\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"19\",\"gridData\":{\"x\":32,\"y\":72,\"w\":16,\"h\":24,\"i\":\"19\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"panelIndex\":\"20\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":24,\"w\":24,\"h\":24,\"i\":\"21\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SIP","version":1},"id":"ad3c0830-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5166880-374f-11e7-b74a-f5057991ccd2","name":"panel_2","type":"visualization"},{"id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","name":"panel_3","type":"visualization"},{"id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","name":"panel_4","type":"visualization"},{"id":"dddb4430-3752-11e7-b74a-f5057991ccd2","name":"panel_5","type":"visualization"},{"id":"5e36c370-3753-11e7-b74a-f5057991ccd2","name":"panel_6","type":"visualization"},{"id":"73f663f0-3753-11e7-b74a-f5057991ccd2","name":"panel_7","type":"visualization"},{"id":"930b1600-3753-11e7-b74a-f5057991ccd2","name":"panel_8","type":"visualization"},{"id":"2db47070-3754-11e7-b74a-f5057991ccd2","name":"panel_9","type":"visualization"},{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"1ef5c230-6e24-11e7-a261-55504638cf3b","name":"panel_11","type":"visualization"},{"id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","name":"panel_12","type":"visualization"},{"id":"AWDHDNS4xQT5EBNmq4dF","name":"panel_13","type":"visualization"},{"id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyMSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:files\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"257c130f-3673-410c-9f60-d67deb13b580\"},\"panelIndex\":\"257c130f-3673-410c-9f60-d67deb13b580\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":7,\"i\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\"},\"panelIndex\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":7,\"i\":\"93532ba0-f446-4a97-8783-a04dd4347485\"},\"panelIndex\":\"93532ba0-f446-4a97-8783-a04dd4347485\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":19,\"i\":\"a2af856c-7069-46b2-974c-e8b9054af929\"},\"panelIndex\":\"a2af856c-7069-46b2-974c-e8b9054af929\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":7,\"w\":9,\"h\":19,\"i\":\"4a3de026-5001-46a6-af20-78db885bd4bb\"},\"panelIndex\":\"4a3de026-5001-46a6-af20-78db885bd4bb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":17,\"y\":7,\"w\":17,\"h\":19,\"i\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\"},\"panelIndex\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":34,\"y\":7,\"w\":14,\"h\":19,\"i\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\"},\"panelIndex\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":21,\"h\":19,\"i\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\"},\"panelIndex\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":21,\"y\":26,\"w\":8,\"h\":19,\"i\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\"},\"panelIndex\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":26,\"w\":10,\"h\":19,\"i\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\"},\"panelIndex\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":39,\"y\":26,\"w\":9,\"h\":19,\"i\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\"},\"panelIndex\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":24,\"i\":\"226350dd-3afe-4135-a8da-71db63287a95\"},\"panelIndex\":\"226350dd-3afe-4135-a8da-71db63287a95\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Security Onion - Zeek Files","version":1},"id":"ad4d5d60-75f4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_11","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyMywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Destination Country (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Destination Country (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination_geo.country_name.keyword: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - TLS - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"TLS\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS\"}}],\"listeners\":{}}"},"id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Initial Systems/Queries\",\"disabled\":true,\"key\":\"osquery.counter\",\"negate\":true,\"params\":{\"query\":0,\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Servers Only\",\"disabled\":true,\"key\":\"osquery.codename\",\"negate\":false,\"params\":{\"query\":\"server\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"server\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match\":{\"osquery.codename\":{\"query\":\"server\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":11,\"i\":\"16\"},\"panelIndex\":\"16\",\"title\":\"\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":29,\"w\":40,\"h\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"title\":\"Chrome Extensions - Logs\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":11,\"w\":40,\"h\":18,\"i\":\"19\"},\"panelIndex\":\"19\",\"title\":\"Chrome Extensions - Sensitive Permissions\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":11,\"i\":\"20\"},\"version\":\"7.3.0\",\"panelIndex\":\"20\",\"embeddableConfig\":{},\"title\":\"Chrome Extensions - Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"osquery - Chrome Extensions","version":1},"id":"af0ea750-18d3-11e9-932c-d12d2cf4ee95","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"71538370-18d5-11e9-932c-d12d2cf4ee95","name":"panel_1","type":"visualization"},{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"panel_2","type":"search"},{"id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_3","type":"visualization"},{"id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Osquery - Name\"}"},"id":"af139720-afcb-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Message Type (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"title\":\"Security Onion - DHCP - Message Type (Donut)\"}"},"id":"af26c6e0-96e6-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T13:48:58.637Z","version":"WzczNywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}"},"id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyOCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Country (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Destination Country (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"id":"dfe23030-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYyOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - TLS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzMSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"id":"d776e510-6e28-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzMiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":56,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"panelIndex\":\"20\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\"}]","timeRestore":false,"title":"Bro - SMTP","version":1},"id":"b10a9c60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"dfe23030-39a1-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"73b1b240-39a2-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"96767400-39a2-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","name":"panel_7","type":"visualization"},{"id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","name":"panel_8","type":"visualization"},{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"d776e510-6e28-11e7-8b76-75eee0095daa","name":"panel_10","type":"visualization"},{"id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","name":"panel_11","type":"visualization"},{"id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","name":"panel_12","type":"visualization"},{"id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","name":"panel_13","type":"visualization"},{"id":"AWDHDsr0xQT5EBNmq4gw","name":"panel_14","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzNCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - IIN","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - IIN\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.iin: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.iin\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IIN\"}}]}"},"id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dnp3\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":16,\"y\":8,\"w\":12,\"h\":19,\"i\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\"},\"panelIndex\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\"},\"panelIndex\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - DNP3","version":1},"id":"b1f52180-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"214793c0-75b9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.authentication.method.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.authentication.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"id":"b2053990-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzNywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:kerberos\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\"},\"panelIndex\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":14,\"y\":0,\"w\":15,\"h\":9,\"i\":\"e0e4a50d-887b-472b-a790-302966fb6f49\"},\"panelIndex\":\"e0e4a50d-887b-472b-a790-302966fb6f49\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\"},\"panelIndex\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":19,\"i\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\"},\"panelIndex\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":9,\"w\":10,\"h\":19,\"i\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\"},\"panelIndex\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":9,\"w\":11,\"h\":19,\"i\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\"},\"panelIndex\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":31,\"y\":9,\"w\":7,\"h\":19,\"i\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\"},\"panelIndex\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":9,\"w\":10,\"h\":19,\"i\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\"},\"panelIndex\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Kerberos","version":1},"id":"b207ab90-75bc-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"48331f00-75bd-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzOCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"8\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SMB","version":1},"id":"b3a53710-3aaa-11e7-8b17-0d8709b02c80","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","name":"panel_2","type":"visualization"},{"id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","name":"panel_3","type":"visualization"},{"id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","name":"panel_4","type":"visualization"},{"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","name":"panel_5","type":"visualization"},{"id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"306c4330-4175-11e7-a0f7-47f4c03e3306","name":"panel_8","type":"visualization"},{"id":"AWDHDfDkxQT5EBNmq4fQ","name":"panel_9","type":"visualization"},{"id":"a663e070-4c78-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzYzOSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"respond_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Responder Bytes\"}}],\"listeners\":{}}"},"id":"b50912f0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"id":"b6120810-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Responder Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Responder Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"respond_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0MiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Responder Bytes","version":1},"id":"b65775e0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"e8511600-36b8-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Session Duration","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"duration\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}"},"id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":32,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":32,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SNMP","version":1},"id":"b65c2710-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"e8511600-36b8-11e7-9786-41a1d72e15ad","name":"panel_2","type":"visualization"},{"id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","name":"panel_3","type":"visualization"},{"id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","name":"panel_4","type":"visualization"},{"id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","name":"panel_5","type":"visualization"},{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","name":"panel_7","type":"visualization"},{"id":"AWDHD-LfxQT5EBNmq4iB","name":"panel_8","type":"visualization"},{"id":"83a91450-4c79-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Validation Status","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Validation Status\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.validation_status.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssl.validation_status.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}"},"id":"b8371250-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:radius\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\"},\"panelIndex\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":9,\"i\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\"},\"panelIndex\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\"},\"panelIndex\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":19,\"i\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\"},\"panelIndex\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":19,\"i\":\"7075ea4f-e935-470c-9329-9a0b15202385\"},\"panelIndex\":\"7075ea4f-e935-470c-9329-9a0b15202385\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":19,\"i\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\"},\"panelIndex\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":9,\"w\":9,\"h\":19,\"i\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\"},\"panelIndex\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":19,\"i\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\"},\"panelIndex\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - RADIUS","version":1},"id":"b9769e60-75c4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"767c89f0-af4c-11ea-b262-353d451b125b","name":"panel_5","type":"visualization"},{"id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY0OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":48,\"h\":16,\"i\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\"},\"panelIndex\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"db4fa812-32fb-43c8-baa8-e88206cae126\"},\"panelIndex\":\"db4fa812-32fb-43c8-baa8-e88206cae126\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"Security Onion - Osquery","version":1},"id":"bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ab47a590-afcc-11ea-b262-353d451b125b","name":"panel_3","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1MCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Software - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1MSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":44,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"name\",\"software_type\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":36,\"x\":8,\"y\":8,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Software","version":1},"id":"c2c99c30-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"AWDHEKJUxQT5EBNmq4jW","name":"panel_3","type":"visualization"},{"id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","name":"panel_4","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Protocol (Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Connections - Protocol (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocol\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"id":"c3152010-3673-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1NCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:mysql\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\"},\"panelIndex\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":9,\"i\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\"},\"panelIndex\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\"},\"panelIndex\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\"},\"panelIndex\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\"},\"panelIndex\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\"},\"panelIndex\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\"},\"panelIndex\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":16,\"i\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\"},\"panelIndex\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - MySQL","version":1},"id":"c3ced6d0-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"protocol.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}],\"listeners\":{}}"},"id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":28,\"h\":24,\"x\":8,\"y\":8,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}}]","timeRestore":false,"title":"Bro - Syslog","version":1},"id":"c4bbe040-76b3-11e7-ba96-cba76a1e264d","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","name":"panel_1","type":"visualization"},{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"panel_2","type":"search"},{"id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_3","type":"visualization"},{"id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_4","type":"visualization"},{"id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_5","type":"visualization"},{"id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","name":"panel_6","type":"visualization"},{"id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","name":"panel_7","type":"visualization"},{"id":"AWDHE-_wxQT5EBNmq4n3","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Authentication Success","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SSH - Authentication Success\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Authentication Success\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"authentication_success.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Success\"}}],\"listeners\":{}}"},"id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY1OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSH -Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}"},"id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"8\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"11\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"12\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"13\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":8,\"y\":8,\"w\":28,\"h\":24,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - SSH","version":1},"id":"c6ccfc00-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"8a60eb50-365f-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","name":"panel_5","type":"visualization"},{"id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHEYk4xQT5EBNmq4k5","name":"panel_8","type":"visualization"},{"id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"c7484350-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.message.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}}]}"},"id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Share Flag","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Share Flag\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.desktop.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.desktop.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Desktop Name\"}}]}"},"id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rfb\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\"},\"panelIndex\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"0e12fa96-b29d-4815-ae19-b6e894948597\"},\"panelIndex\":\"0e12fa96-b29d-4815-ae19-b6e894948597\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\"},\"panelIndex\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\"},\"panelIndex\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\"},\"panelIndex\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":14,\"h\":19,\"i\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\"},\"panelIndex\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":19,\"i\":\"edfbec77-b174-40ac-9f11-776da22fe82d\"},\"panelIndex\":\"edfbec77-b174-40ac-9f11-776da22fe82d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":24,\"h\":15,\"i\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\"},\"panelIndex\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":27,\"w\":12,\"h\":15,\"i\":\"aedad86f-ec5e-4330-bab0-468351eb8355\"},\"panelIndex\":\"aedad86f-ec5e-4330-bab0-468351eb8355\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":15,\"i\":\"8092b313-2e40-47e4-96a2-51086f98e53f\"},\"panelIndex\":\"8092b313-2e40-47e4-96a2-51086f98e53f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - RFB","version":1},"id":"c8b3c360-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b2053990-75c7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connection Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connection Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"id":"c94e2aa0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:tunnel\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"19aef080-5875-4182-81a8-2a6639c75489\"},\"panelIndex\":\"19aef080-5875-4182-81a8-2a6639c75489\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\"},\"panelIndex\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"21848a06-ca96-4869-b069-7524caf3ae06\"},\"panelIndex\":\"21848a06-ca96-4869-b069-7524caf3ae06\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\"},\"panelIndex\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"9f72f316-c3a2-4658-8d03-932fa590e216\"},\"panelIndex\":\"9f72f316-c3a2-4658-8d03-932fa590e216\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":20,\"y\":8,\"w\":9,\"h\":19,\"i\":\"fa1bc43a-2be3-4699-97af-677bded82273\"},\"panelIndex\":\"fa1bc43a-2be3-4699-97af-677bded82273\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":8,\"w\":19,\"h\":19,\"i\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\"},\"panelIndex\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Tunnels","version":1},"id":"c962dd60-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6120810-75ef-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY2OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.fc_reply.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"id":"cb29fbe0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":20,\"w\":24,\"h\":20,\"i\":\"1\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}},{\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":0,\"w\":24,\"h\":20,\"i\":\"2\"},\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":40,\"i\":\"3\"},\"embeddableConfig\":{}},{\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":40,\"w\":48,\"h\":24,\"i\":\"4\"},\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}}]","timeRestore":false,"title":"Connections - Top Source IPs","version":1},"id":"cb367060-3b04-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_0","type":"visualization"},{"id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_2","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Version\"}}]}"},"id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3NCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":104,\"i\":\"9\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":104,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"11\",\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":104,\"i\":\"11\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"12\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"14\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"w\":48,\"h\":72,\"x\":0,\"y\":128,\"i\":\"15\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"19\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"20\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"panelIndex\":\"21\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"Bro - SSL","version":1},"id":"cca67b60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"3753e110-365a-11e7-bf60-314364dd1cde","name":"panel_2","type":"visualization"},{"id":"02699580-365a-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_4","type":"visualization"},{"id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_5","type":"visualization"},{"id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_6","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_7","type":"visualization"},{"id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","name":"panel_8","type":"visualization"},{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","name":"panel_10","type":"visualization"},{"id":"AWDHElRWxQT5EBNmq4lz","name":"panel_11","type":"visualization"},{"id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[24.846565348219734,0.087890625],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Connections - Destination - Sum of Total Bytes","version":1},"id":"ccfcc540-4638-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"1342e630-4632-11e7-9903-85f789353078","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Entropy","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Entropy\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"scan.entropy.entropy\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Entropy\"}}]}"},"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3NywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Warning","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Warning\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.warning.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.warning.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Warning\"}}]}"},"id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Bro - Tunnels","version":1},"id":"d7b54ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"53824da0-6e35-11e7-9a19-a5996f8250c6","name":"panel_8","type":"visualization"},{"id":"AWDHFYrqxQT5EBNmq4qT","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event_type:bro_conn\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Connections - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Server Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Server Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.server_name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.server_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Name\"}}]}"},"id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Datasets","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network Datasets\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}]}"},"id":"dbe4cc20-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Queries","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}"},"id":"dcda5680-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:sip\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\"},\"panelIndex\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\"},\"panelIndex\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"e87052bf-935e-421b-8208-e798a37edf69\"},\"panelIndex\":\"e87052bf-935e-421b-8208-e798a37edf69\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\"},\"panelIndex\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"a303da32-bd43-45a5-acbf-093478d734f9\"},\"panelIndex\":\"a303da32-bd43-45a5-acbf-093478d734f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\"},\"panelIndex\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":26,\"y\":8,\"w\":8,\"h\":19,\"i\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\"},\"panelIndex\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":34,\"y\":8,\"w\":14,\"h\":19,\"i\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\"},\"panelIndex\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":17,\"i\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\"},\"panelIndex\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":27,\"w\":12,\"h\":17,\"i\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\"},\"panelIndex\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":27,\"w\":24,\"h\":17,\"i\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\"},\"panelIndex\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - SIP","version":1},"id":"dd98e260-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"49384710-75ca-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"},{"id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4OCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":80,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"5\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"8\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\",\"embeddableConfig\":{}},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"9\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"10\",\"gridData\":{\"x\":8,\"y\":56,\"w\":40,\"h\":24,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"14\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - Weird","version":1},"id":"de2da250-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"1b837b00-364e-11e7-9dc3-d35061cb642d","name":"panel_2","type":"visualization"},{"id":"312cd460-364e-11e7-9dc3-d35061cb642d","name":"panel_3","type":"visualization"},{"id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","name":"panel_4","type":"visualization"},{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","name":"panel_6","type":"visualization"},{"id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHGXk-xQT5EBNmq4uf","name":"panel_8","type":"visualization"},{"id":"691ade50-4c85-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY4OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SSDeep","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SSDeep\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.ssdeep.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SSDeep\"}}]}"},"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5MCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":63,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":63,\"w\":16,\"h\":28,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":63,\"w\":16,\"h\":28,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":91,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":91,\"w\":16,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":91,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":16,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":8,\"y\":32,\"w\":40,\"h\":31,\"i\":\"19\"},\"panelIndex\":\"19\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":115,\"w\":48,\"h\":24,\"i\":\"25\"},\"panelIndex\":\"25\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"gridData\":{\"x\":30,\"y\":24,\"w\":18,\"h\":8,\"i\":\"26\"},\"panelIndex\":\"26\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"29\"},\"panelIndex\":\"29\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\"},{\"gridData\":{\"x\":32,\"y\":63,\"w\":16,\"h\":28,\"i\":\"31\"},\"panelIndex\":\"31\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":22,\"h\":24,\"i\":\"32\"},\"panelIndex\":\"32\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"Bro - Connections","version":1},"id":"e0a34b90-34e6-11e7-9118-45bd317f0ca4","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","name":"panel_1","type":"visualization"},{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a54f150-366e-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"296823d0-366f-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"b50912f0-366f-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"05088150-3670-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"c3152010-3673-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"13fe29c0-3b17-11e7-b871-5f76306b9694","name":"panel_8","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"25ce6eb0-463b-11e7-a82e-d97152153689","name":"panel_10","type":"visualization"},{"id":"AWDG71xFxQT5EBNmq336","name":"panel_11","type":"visualization"},{"id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"},{"id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","name":"panel_13","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Destination Port (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Destination Port (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}],\"listeners\":{}}"},"id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"id":"fab4b560-37d8-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5MywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"3\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"4\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":96,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{\"columns\":[\"certificate_subject\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"8\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"8\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"9\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"10\",\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"10\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{}},{\"panelIndex\":\"11\",\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"11\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"12\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"version\":\"7.3.0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Bro - X.509","version":1},"id":"e5aa7170-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"738127f0-37d7-11e7-9efb-91e89505091f","name":"panel_3","type":"visualization"},{"id":"fab4b560-37d8-11e7-9efb-91e89505091f","name":"panel_4","type":"visualization"},{"id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","name":"panel_5","type":"visualization"},{"id":"150f7280-6e37-11e7-a8d6-ed2e692de531","name":"panel_6","type":"visualization"},{"id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","name":"panel_7","type":"visualization"},{"id":"AWDHGklsxQT5EBNmq4wG","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5NCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Domain","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Host - Domain\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.domain.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain\"}}]}"},"id":"e80aa100-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5NSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{\"mapCenter\":[39.639537564366684,0.17578125],\"mapZoom\":2}},{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Connections - Destination - Top Connection Duration","version":1},"id":"ea211360-46c4-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f7492d0-46c4-11e7-a82e-d97152153689","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5NiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}"},"id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5NywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"panelIndex\":\"1\",\"gridData\":{\"w\":8,\"h\":68,\"x\":0,\"y\":0,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"panelIndex\":\"5\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":44,\"i\":\"5\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"panelIndex\":\"6\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":44,\"i\":\"6\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"panelIndex\":\"7\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\",\"embeddableConfig\":{}},{\"panelIndex\":\"10\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":92,\"i\":\"10\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"panelIndex\":\"13\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"13\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"panelIndex\":\"16\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":116,\"i\":\"16\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]}},{\"panelIndex\":\"17\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"17\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\",\"embeddableConfig\":{}},{\"panelIndex\":\"21\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":44,\"i\":\"21\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"panelIndex\":\"22\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":56,\"i\":\"22\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\"},{\"panelIndex\":\"23\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"23\"},\"embeddableConfig\":{},\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"panelIndex\":\"24\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":68,\"i\":\"24\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"panelIndex\":\"25\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":68,\"i\":\"25\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\",\"embeddableConfig\":{}},{\"panelIndex\":\"26\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":20,\"i\":\"26\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_13\",\"embeddableConfig\":{}},{\"panelIndex\":\"27\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":20,\"i\":\"27\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_14\",\"embeddableConfig\":{}},{\"panelIndex\":\"28\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":20,\"i\":\"28\"},\"version\":\"7.3.0\",\"panelRefName\":\"panel_15\",\"embeddableConfig\":{}}]","timeRestore":false,"title":"Bro - DNS","version":1},"id":"ebf5ec90-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","name":"panel_2","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_3","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_4","type":"visualization"},{"id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","name":"panel_5","type":"visualization"},{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"4d89e140-6f09-11e7-9d31-23c0596994a7","name":"panel_8","type":"visualization"},{"id":"74861280-6f06-11e7-b253-211f64f37eda","name":"panel_9","type":"visualization"},{"id":"AWDG9Qx0xQT5EBNmq3_2","name":"panel_10","type":"visualization"},{"id":"dcda5680-2927-11e8-b2a2-09f3986ae284","name":"panel_11","type":"visualization"},{"id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","name":"panel_12","type":"visualization"},{"id":"22f7de30-4949-11e8-9576-313be7c6b44b","name":"panel_13","type":"visualization"},{"id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5OCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - File System","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - File System\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.file_system.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.file_system.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File System\"}}]}"},"id":"ed215680-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzY5OSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"h\":51,\"i\":\"4\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":22,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":51},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":17,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":34},\"panelIndex\":\"12\",\"title\":\"NIDS Alert - Source Port\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"gridData\":{\"h\":17,\"i\":\"18\",\"w\":20,\"x\":28,\"y\":34},\"panelIndex\":\"18\",\"title\":\"NIDS Alert - Destination Port\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":40,\"x\":8,\"y\":18},\"panelIndex\":\"19\",\"title\":\"NIDS - Alert Summary \",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"20\",\"w\":17,\"x\":8,\"y\":8},\"panelIndex\":\"20\",\"title\":\"NIDS - Alert Title\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"21\",\"title\":\"NIDS - Rule Signature\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"NIDS - SID Drilldown","version":1},"id":"ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_4","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","name":"panel_6","type":"visualization"},{"id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_7","type":"visualization"},{"id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"ede56800-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwMSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ssl\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"7ba54e84-e774-489e-b4e5-156bff163007\"},\"panelIndex\":\"7ba54e84-e774-489e-b4e5-156bff163007\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"83706228-debf-441c-ab7f-2e20c91ec132\"},\"panelIndex\":\"83706228-debf-441c-ab7f-2e20c91ec132\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e06b2a92-d78b-4d77-9948-40a96a630656\"},\"panelIndex\":\"e06b2a92-d78b-4d77-9948-40a96a630656\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":20,\"i\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\"},\"panelIndex\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":10,\"h\":20,\"i\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\"},\"panelIndex\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":11,\"h\":20,\"i\":\"19764782-13cb-4b14-b272-d30fbdead5a2\"},\"panelIndex\":\"19764782-13cb-4b14-b272-d30fbdead5a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":20,\"i\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\"},\"panelIndex\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":20,\"i\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\"},\"panelIndex\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":20,\"i\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\"},\"panelIndex\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - SSL","version":1},"id":"efae8de0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"b8371250-75ec-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwMiwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2}}]","timeRestore":false,"title":"Connections - Source - Sum of Total Bytes","version":1},"id":"f042ad60-46c6-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwMywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smb*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\"},\"panelIndex\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\"},\"panelIndex\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\"},\"panelIndex\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\"},\"panelIndex\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\"},\"panelIndex\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":18,\"y\":8,\"w\":10,\"h\":19,\"i\":\"4f886675-43c8-46c9-a471-717010d40e67\"},\"panelIndex\":\"4f886675-43c8-46c9-a471-717010d40e67\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":19,\"i\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\"},\"panelIndex\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\"},\"panelIndex\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":20,\"i\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\"},\"panelIndex\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - SMB","version":1},"id":"f24d7b80-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"34762420-75f0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"ed215680-75ef-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"052df440-75f0-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwNCwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:playbook AND event.dataset:alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{\"title\":\"Security Onion - Alert Data\"},\"title\":\"Security Onion - Alert Data\",\"panelRefName\":\"panel_0\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":26,\"h\":18,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":26,\"y\":8,\"w\":22,\"h\":18,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.7.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":21,\"i\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\"},\"panelIndex\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"}]","timeRestore":false,"title":"Security Onion - Playbook","version":1},"id":"f449f0a0-c77c-11ea-bebb-37c5ab5894ea","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"search"}],"type":"dashboard","updated_at":"2020-07-16T16:10:05.109Z","version":"WzgyOCwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Action","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Action\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.p: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.action.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwNSwxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:notice AND event.module:zeek\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3c981b35-b930-4523-bef4-7f5193148816\"},\"panelIndex\":\"3c981b35-b930-4523-bef4-7f5193148816\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":16,\"h\":8,\"i\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\"},\"panelIndex\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"7d323b2f-3502-4397-93fd-b430d9011d92\"},\"panelIndex\":\"7d323b2f-3502-4397-93fd-b430d9011d92\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":18,\"i\":\"298b9cf4-5e54-45f5-805c-e04b31044401\"},\"panelIndex\":\"298b9cf4-5e54-45f5-805c-e04b31044401\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":19,\"y\":8,\"w\":29,\"h\":18,\"i\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\"},\"panelIndex\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":26,\"w\":11,\"h\":23,\"i\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\"},\"panelIndex\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":11,\"y\":26,\"w\":11,\"h\":23,\"i\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\"},\"panelIndex\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":26,\"w\":10,\"h\":23,\"i\":\"208bc4b2-013a-4aab-b72c-45a618077791\"},\"panelIndex\":\"208bc4b2-013a-4aab-b72c-45a618077791\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":32,\"y\":26,\"w\":16,\"h\":23,\"i\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\"},\"panelIndex\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Zeek - Notices","version":1},"id":"fa9ed760-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","name":"panel_3","type":"visualization"},{"id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","name":"panel_4","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","name":"panel_8","type":"visualization"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwNiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"event.module.keyword\",\"negate\":true,\"params\":{\"query\":\"suricata\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module.keyword\":\"suricata\"}}}]}"},"savedSearchRefName":"search_0","title":"Security Onion - Playbook - Rules","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Playbook - Rules\"}"},"id":"faaf66e0-c77d-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-16T16:04:07.886Z","version":"WzgyNywyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.severity.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.severity.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Syslog - Severity (Donut)\"}"},"id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2020-07-16T15:39:24.060Z","version":"Wzc5OSwyXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip.keyword: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"fd8b4640-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.7.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwNywxXQ=="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:strelka\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\"},\"panelIndex\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":21,\"h\":7,\"i\":\"566a9d04-f2dc-4868-9625-97a19d985703\"},\"panelIndex\":\"566a9d04-f2dc-4868-9625-97a19d985703\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":7,\"i\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\"},\"panelIndex\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":20,\"i\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\"},\"panelIndex\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":11,\"h\":20,\"i\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\"},\"panelIndex\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":7,\"w\":14,\"h\":20,\"i\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\"},\"panelIndex\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":20,\"i\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\"},\"panelIndex\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":8,\"h\":20,\"i\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\"},\"panelIndex\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":27,\"w\":15,\"h\":20,\"i\":\"0e8800a9-a6f5-4a79-8370-61713f584886\"},\"panelIndex\":\"0e8800a9-a6f5-4a79-8370-61713f584886\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":27,\"w\":25,\"h\":20,\"i\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\"},\"panelIndex\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":27,\"i\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\"},\"panelIndex\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Strelka","version":1},"id":"ff689c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.3.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_4","type":"visualization"},{"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"type":"dashboard","updated_at":"2020-07-15T13:17:15.442Z","version":"WzcwOCwxXQ=="} +{"exportedCount":724,"missingRefCount":0,"missingReferences":[]} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 6379d6ad0..9521c5bb1 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,5 +1,6 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} {% set FEATURES = "-features" %} @@ -69,13 +70,13 @@ kibanabin: # Start the kibana docker so-kibana: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }}{{ FEATURES }} - hostname: kibana - user: kibana - environment: - - ELASTICSEARCH_HOST={{ MASTER }} + - ELASTICSEARCH_HOST={{ MANAGER }} - ELASTICSEARCH_PORT=9200 - - MASTER={{ MASTER }} + - MANAGER={{ MANAGER }} - binds: - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw - /opt/so/log/kibana:/var/log/kibana:rw @@ -94,7 +95,7 @@ kibanadashtemplate: wait_for_kibana: module.run: - http.wait_for_successful_query: - - url: "http://{{MASTER}}:5601/api/saved_objects/_find?type=config" + - url: "http://{{MANAGER}}:5601/api/saved_objects/_find?type=config" - wait_for: 180 - onchanges: - file: kibanadashtemplate diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml index fc1df3d47..8f8dcec81 100644 --- a/salt/logstash/etc/logstash.yml +++ b/salt/logstash/etc/logstash.yml @@ -217,13 +217,8 @@ path.logs: /var/log/logstash # # Where to find custom plugins # path.plugins: [] -{% if grains['role'] == 'so-master' %} -{% set pipeline_workers = salt['pillar.get']('master:ls_pipeline_workers', '1') %} -{% set pipeline_batch = salt['pillar.get']('master:ls_pipeline_batch_size', '125') %} -{% else %} -{% set pipeline_workers = salt['pillar.get']('node:ls_pipeline_workers', '1') %} -{% set pipeline_batch = salt['pillar.get']('node:ls_pipeline_batch_size', '125') %} -{% endif %} +{% set pipeline_workers = salt['pillar.get']('logstash_settings:ls_pipeline_workers', '1') %} +{% set pipeline_batch = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', '125') %} pipeline.workers: {{ pipeline_workers }} pipeline.batch.size: {{ pipeline_batch }} diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 1118b6807..61d6aecc1 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -13,7 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} {% if FEATURES %} @@ -23,27 +24,23 @@ {% endif %} # Logstash Section - Decide which pillar to use -{% if grains['role'] == 'so-sensor' %} - {% set lsheap = salt['pillar.get']('sensor:lsheap', '') %} - {% set lsaccessip = salt['pillar.get']('sensor:lsaccessip', '') %} -{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %} - {% set lsheap = salt['pillar.get']('node:lsheap', '') %} - {% set nodetype = salt['pillar.get']('node:node_type', 'storage') %} -{% elif grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %} - {% set lsheap = salt['pillar.get']('master:lsheap', '') %} - {% set freq = salt['pillar.get']('master:freq', '0') %} - {% set dstats = salt['pillar.get']('master:domainstats', '0') %} +{% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} +{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} + {% set freq = salt['pillar.get']('manager:freq', '0') %} + {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} {% set nodetype = salt['grains.get']('role', '') %} {% elif grains['role'] == 'so-helix' %} - {% set lsheap = salt['pillar.get']('master:lsheap', '') %} - {% set freq = salt['pillar.get']('master:freq', '0') %} - {% set dstats = salt['pillar.get']('master:domainstats', '0') %} + {% set freq = salt['pillar.get']('manager:freq', '0') %} + {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} {% set nodetype = salt['grains.get']('role', '') %} {% endif %} {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} -{% set TEMPLATES = salt['pillar.get']('logstash:templates', {}) %} {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} +{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} + +include: + - elasticsearch # Create the logstash group logstashgroup: @@ -100,21 +97,6 @@ ls_pipeline_{{PL}}: {% endfor %} -#sync templates to /opt/so/conf/logstash/etc -{% for TEMPLATE in TEMPLATES %} -ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: - file.managed: - - source: salt://logstash/pipelines/templates/{{TEMPLATE}} - {% if 'jinja' in TEMPLATE.split('.')[-1] %} - - name: /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} - - template: jinja - {% else %} - - name: /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1]}} - {% endif %} - - user: 931 - - group: 939 -{% endfor %} - lspipelinesyml: file.managed: - name: /opt/so/conf/logstash/etc/pipelines.yml @@ -132,12 +114,6 @@ lsetcsync: - group: 939 - template: jinja - clean: True -{% if TEMPLATES %} - - require: - {% for TEMPLATE in TEMPLATES %} - - file: ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} - {% endfor %} -{% endif %} - exclude_pat: pipelines* # Create the import directory @@ -166,7 +142,7 @@ lslogdir: so-logstash: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:{{ VERSION }}{{ FEATURES }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }}{{ FEATURES }} - hostname: so-logstash - name: so-logstash - user: logstash @@ -177,13 +153,7 @@ so-logstash: - {{ BINDING }} {% endfor %} - binds: -{% for TEMPLATE in TEMPLATES %} - {% if 'jinja' in TEMPLATE.split('.')[-1] %} - - /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}:/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}:ro - {% else %} - - /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1]}}:/{{TEMPLATE.split('/')[1]}}:ro - {% endif %} -{% endfor %} + - /opt/so/conf/elasticsearch/templates/:/templates/:ro - /opt/so/conf/logstash/etc/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro - /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro - /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml @@ -213,6 +183,5 @@ so-logstash: {% endfor %} {% endfor %} {% for TEMPLATE in TEMPLATES %} - - file: ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} -{% endfor %} -# - file: /opt/so/conf/logstash/rulesets + - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} +{% endfor %} \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index ede940367..2ce204875 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,14 +1,16 @@ {%- if grains.role == 'so-heavynode' %} -{%- set master = salt['pillar.get']('node:mainip', '') %} +{%- set MANAGER = salt['pillar.get']('elasticsearch:mainip', '') %} {%- else %} -{%- set master = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGER = salt['pillar.get']('static:managerip', '') %} {% endif -%} +{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} + input { redis { - host => '{{ master }}' + host => '{{ MANAGER }}' data_type => 'list' key => 'logstash:unparsed' type => 'redis-input' - # threads => 1 + threads => {{ THREADS }} } } diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 6def12650..f86bf946c 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -1,29 +1,16 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - - -filter { - if [module] =~ "zeek" { - mutate { - ##add_tag => [ "conf_file_9000"] - } - } -} output { - if [module] =~ "zeek" { + if [module] =~ "zeek" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-zeek-%{+YYYY.MM.dd}" template_name => "so-zeek" - template => "/so-zeek-template.json" + template => "/templates/so-zeek-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja deleted file mode 100644 index 824f29e34..000000000 --- a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja +++ /dev/null @@ -1,27 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if "switch" in [tags] and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9001"] - } - } -} -output { - if "switch" in [tags] and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - index => "so-switch-%{+YYYY.MM.dd}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index b8c12d80f..52c9f034a 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -1,26 +1,16 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Updated by: Doug Burks -# Last Update: 5/16/2017 - -filter { - if "import" in [tags] and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9002"] - } - } -} output { - if "import" in [tags] and "test_data" not in [tags] { -# stdout { codec => rubydebug } + if "import" in [tags] { elasticsearch { + pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-import-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-import" + template => "/templates/so-import-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index f830ffeb3..740676367 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -1,27 +1,16 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "sflow" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9004"] - } - } -} output { - if [event_type] == "sflow" and "test_data" not in [tags] { - #stdout { codec => rubydebug } + if [event_type] == "sflow" { elasticsearch { hosts => "{{ ES }}" index => "so-flow-%{+YYYY.MM.dd}" - template => "/so-common-template.json" + template_name => "so-flow" + template => "/templates/so-flow-template.json" + template_overwrite => true } } } diff --git a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja deleted file mode 100644 index 0772841a8..000000000 --- a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja +++ /dev/null @@ -1,26 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "dhcp" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9026"] - } - } -} -output { - if [event_type] == "dhcp" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja deleted file mode 100644 index fc664564c..000000000 --- a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja +++ /dev/null @@ -1,25 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "esxi" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9029"] - } - } -} -output { - if [event_type] == "esxi" and "test_data" not in [tags] { - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja deleted file mode 100644 index 1007d5f58..000000000 --- a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja +++ /dev/null @@ -1,25 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "greensql" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9030"] - } - } -} -output { - if [event_type] == "greensql" and "test_data" not in [tags] { - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja deleted file mode 100644 index f17616060..000000000 --- a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja +++ /dev/null @@ -1,26 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "iis" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9031"] - } - } -} -output { - if [event_type] == "iis" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja deleted file mode 100644 index 9a6668619..000000000 --- a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja +++ /dev/null @@ -1,26 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "mcafee" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9032"] - } - } -} -output { - if [event_type] == "mcafee" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index fdcbb0eb1..fed1ffdf5 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -1,28 +1,15 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "ids" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9033"] - } - } -} output { - if [event_type] == "ids" and "test_data" not in [tags] { - #stdout { codec => rubydebug } + if [event_type] == "ids" and "import" not in [tags] { elasticsearch { hosts => "{{ ES }}" index => "so-ids-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-ids" + template => "/templates/so-ids-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index 7b35af576..5087f41da 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -1,24 +1,16 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} - -filter { - if [module] =~ "syslog" { - mutate { - ##add_tag => [ "conf_file_9000"] - } - } -} output { if [module] =~ "syslog" { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" index => "so-syslog-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-syslog" + template => "/templates/so-syslog-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index d09aae10b..01436cf5f 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -1,20 +1,17 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Josh Brower -# Last Update: 12/29/2018 -# Output to ES for osquery tagged logs - - output { if [module] =~ "osquery" { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-osquery-%{+YYYY.MM.dd}" - template => "/so-common-template.json" + template_name => "so-osquery" + template => "/templates/so-osquery-template.json" + template_overwrite => true } } } diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index 41c82e21e..a295b5f7a 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -1,28 +1,15 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if "firewall" in [tags] and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9200"] - } - } -} output { - if "firewall" in [tags] and "test_data" not in [tags] { -# stdout { codec => rubydebug } + if "firewall" in [tags] { elasticsearch { hosts => "{{ ES }}" index => "so-firewall-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-firewall" + template => "/templates/so-firewall-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja deleted file mode 100644 index 8b8a9299f..000000000 --- a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja +++ /dev/null @@ -1,27 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "windows" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9300"] - } - } -} -output { - if [event_type] == "windows" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - index => "so-windows-%{+YYYY.MM.dd}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja deleted file mode 100644 index fec703b1c..000000000 --- a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja +++ /dev/null @@ -1,27 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} -{%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [event_type] == "dns" and "test_data" not in [tags] { - mutate { - ##add_tag => [ "conf_file_9301"] - } - } -} -output { - if [event_type] == "dns" and "test_data" not in [tags] { - #stdout { codec => rubydebug } - elasticsearch { - hosts => "{{ ES }}" - index => "so-%{+YYYY.MM.dd}" - template => "/so-common-template.json" - } - } -} diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index e7e917727..ace7cccf1 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -1,28 +1,16 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if [module] == "suricata" { - mutate { - ##add_tag => [ "conf_file_9400"] - } - } -} output { - if [module] =~ "suricata" { + if [module] =~ "suricata" and "import" not in [tags] { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-ids-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-ids" + template => "/templates/so-ids-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index e50c04eee..ed513f597 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -1,17 +1,16 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} - output { - if "beat-ext" in [tags] { + if "beat-ext" in [tags] and "import" not in [tags] { elasticsearch { pipeline => "beats.common" hosts => "{{ ES }}" index => "so-beats-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-beats" + template => "/templates/so-beats-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 93bffca7d..14a9bc1d1 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -1,29 +1,16 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Updated by: Doug Burks -# Last Update: 9/19/2018 - -filter { - if [module] =~ "ossec" { - mutate { - ##add_tag => [ "conf_file_9600"] - } - } -} - output { if [module] =~ "ossec" { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-ossec-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-ossec" + template => "/templates/so-ossec-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 1e192a8ee..0e6977e29 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -1,29 +1,16 @@ {%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('master:mainip', '') -%} +{%- set ES = salt['pillar.get']('manager:mainip', '') -%} {%- else %} -{%- set ES = salt['pillar.get']('node:mainip', '') -%} +{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - - -filter { - if [module] =~ "strelka" { - mutate { - ##add_tag => [ "conf_file_9000"] - } - } -} output { - if [event_type] =~ "strelka" { + if [module] =~ "strelka" { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-strelka-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/so-common-template.json" + template_name => "so-strelka" + template => "/templates/so-strelka-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index f176e0b94..71ec9f639 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,26 +1,13 @@ -{%- if salt['grains.get']('role') == 'so-master' %} -{% set master = salt['pillar.get']('static:masterip', '') %} -{%- set nodetype = 'master' %} -{% elif grains.role == 'so-heavynode' %} -{% set master = salt['pillar.get']('node:mainip', '') %} -{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %} -{%- else %} -{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %} -{% set master = salt['pillar.get']('static:masterip', '') %} -{%- endif %} - - +{% set MANAGER = salt['pillar.get']('static:managerip', '') %} +{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} output { redis { - host => '{{ master }}' + host => '{{ MANAGER }}' data_type => 'list' - {%- if nodetype == 'parser' %} - key => 'logstash:parsed' - {%- else %} key => 'logstash:unparsed' - {%- endif %} congestion_interval => 1 congestion_threshold => 50000000 - # batch_events => 500 + batch => true + batch_events => {{ BATCH }} } } diff --git a/salt/logstash/pipelines/templates/so/so-zeek-template.json b/salt/logstash/pipelines/templates/so/so-zeek-template.json deleted file mode 100644 index 61a95c0e7..000000000 --- a/salt/logstash/pipelines/templates/so/so-zeek-template.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order" : 11, - "settings":{ - "number_of_replicas":0, - "number_of_shards":1, - "index.refresh_interval":"30s" - } -} diff --git a/salt/master/files/acng/acng.conf b/salt/manager/files/acng/acng.conf similarity index 100% rename from salt/master/files/acng/acng.conf rename to salt/manager/files/acng/acng.conf diff --git a/salt/master/files/add_minion.sh b/salt/manager/files/add_minion.sh similarity index 100% rename from salt/master/files/add_minion.sh rename to salt/manager/files/add_minion.sh diff --git a/salt/master/init.sls b/salt/manager/init.sls similarity index 81% rename from salt/master/init.sls rename to salt/manager/init.sls index 3c6b81e5e..aef705724 100644 --- a/salt/master/init.sls +++ b/salt/manager/init.sls @@ -13,8 +13,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} +{% set managerproxy = salt['pillar.get']('static:managerupdate', '0') %} socore_own_saltstack: file.directory: @@ -25,7 +26,12 @@ socore_own_saltstack: - user - group -{% if masterproxy == 1 %} +/opt/so/saltstack/default/pillar/data/addtotab.sh: + file.managed: + - mode: 750 + - replace: False + +{% if managerproxy == 1 %} # Create the directories for apt-cacher-ng aptcacherconfdir: @@ -54,12 +60,12 @@ aptcacherlogdir: acngcopyconf: file.managed: - name: /opt/so/conf/aptcacher-ng/etc/acng.conf - - source: salt://master/files/acng/acng.conf + - source: salt://manager/files/acng/acng.conf # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-acng:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-acng:{{ VERSION }} - hostname: so-acng - restart_policy: always - port_bindings: diff --git a/salt/master/files/registry/scripts/so-docker-download b/salt/master/files/registry/scripts/so-docker-download deleted file mode 100644 index 2670acf26..000000000 --- a/salt/master/files/registry/scripts/so-docker-download +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -MASTER={{ MASTER }} -VERSION="HH1.2.2" -TRUSTED_CONTAINERS=( \ -"so-nginx:$VERSION" \ -"so-cyberchef:$VERSION" \ -"so-acng:$VERSION" \ -"so-soc:$VERSION" \ -"so-kratos:$VERSION" \ -"so-fleet:$VERSION" \ -"so-soctopus:$VERSION" \ -"so-steno:$VERSION" \ -"so-playbook:$VERSION" \ -"so-thehive-cortex:$VERSION" \ -"so-thehive:$VERSION" \ -"so-thehive-es:$VERSION" \ -"so-wazuh:$VERSION" \ -"so-kibana:$VERSION" \ -"so-elastalert:$VERSION" \ -"so-navigator:$VERSION" \ -"so-filebeat:$VERSION" \ -"so-suricata:$VERSION" \ -"so-logstash:$VERSION" \ -"so-bro:$VERSION" \ -"so-idstools:$VERSION" \ -"so-fleet-launcher:$VERSION" \ -"so-freqserver:$VERSION" \ -"so-influxdb:$VERSION" \ -"so-grafana:$VERSION" \ -"so-telegraf:$VERSION" \ -"so-redis:$VERSION" \ -"so-mysql:$VERSION" \ -"so-curtor:$VERSION" \ -"so-elasticsearch:$VERSION" \ -"so-domainstats:$VERSION" \ -"so-tcpreplay:$VERSION" \ -) - -for i in "${TRUSTED_CONTAINERS[@]}" -do - # Pull down the trusted docker image - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i - # Tag it with the new registry destination - docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i - docker push $MASTER:5000/soshybridhunter/$i -done diff --git a/salt/minio/init.sls b/salt/minio/init.sls index 7b4dd5673..2d5941301 100644 --- a/salt/minio/init.sls +++ b/salt/minio/init.sls @@ -13,8 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set access_key = salt['pillar.get']('master:access_key', '') %} -{% set access_secret = salt['pillar.get']('master:access_secret', '') %} +{% set access_key = salt['pillar.get']('manager:access_key', '') %} +{% set access_secret = salt['pillar.get']('manager:access_secret', '') %} # Minio Setup minioconfdir: diff --git a/salt/motd/files/package_update_reboot_required.jinja b/salt/motd/files/so_motd.jinja similarity index 79% rename from salt/motd/files/package_update_reboot_required.jinja rename to salt/motd/files/so_motd.jinja index 6d94fc613..43ad3b4de 100644 --- a/salt/motd/files/package_update_reboot_required.jinja +++ b/salt/motd/files/so_motd.jinja @@ -1,4 +1,11 @@ {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%} +{% set role = grains.id.split('_') | last -%} +{% set url = salt['pillar.get']('manager:url_base') -%} + +{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %} +Access the Security Onion web interface at https://{{ url }} +(You may need to run so-allow first if you haven't yet) +{% endif %} {%- if needs_restarting_check %} {%- set minions_need_restarted = [] %} diff --git a/salt/motd/init.sls b/salt/motd/init.sls index 4dae979bf..06ad270a1 100644 --- a/salt/motd/init.sls +++ b/salt/motd/init.sls @@ -1,5 +1,5 @@ -package_update_reboot_required_motd: +so_motd: file.managed: - name: /etc/motd - - source: salt://motd/files/package_update_reboot_required.jinja + - source: salt://motd/files/so_motd.jinja - template: jinja diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index c96be214c..c4caa5fcd 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,15 +1,16 @@ {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{% set MAINIP = salt['pillar.get']('node:mainip') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} +{% set MAINIP = salt['pillar.get']('elasticsearch:mainip') %} {% set FLEETARCH = salt['grains.get']('role') %} {% if FLEETARCH == "so-fleet" %} {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% else %} - {% set MAINIP = salt['pillar.get']('static:masterip') %} + {% set MAINIP = salt['pillar.get']('static:managerip') %} {% endif %} # MySQL Setup @@ -71,7 +72,7 @@ mysql_password_none: so-mysql: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-mysql:{{ VERSION }} - hostname: so-mysql - user: socore - port_bindings: diff --git a/salt/navigator/init.sls b/salt/navigator/init.sls deleted file mode 100644 index 67c5060f6..000000000 --- a/salt/navigator/init.sls +++ /dev/null @@ -1,22 +0,0 @@ -{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} - -navigatorconfig: - file.managed: - - name: /opt/so/conf/navigator/navigator_config.json - - source: salt://navigator/files/navigator_config.json - - user: 939 - - group: 939 - - makedirs: True - - template: jinja - -so-navigator: - docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:{{ VERSION }} - - hostname: navigator - - name: so-navigator - - binds: - - /opt/so/conf/navigator/navigator_config.json:/nav-app/src/assets/config.json:ro - - /opt/so/conf/navigator/nav_layer_playbook.json:/nav-app/src/assets/playbook.json:ro - - port_bindings: - - 0.0.0.0:4200:4200 diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval index 193932ade..2998a5bf2 100644 --- a/salt/nginx/etc/nginx.conf.so-eval +++ b/salt/nginx/etc/nginx.conf.so-eval @@ -1,5 +1,5 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} +{%- set managerip = salt['pillar.get']('manager:mainip', '') %} +{%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} # For more information on configuration, see: @@ -14,318 +14,313 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 1024M; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; + #server { + # listen 80 default_server; + # listen [::]:80 default_server; + # server_name _; + # root /opt/socore/html; + # index index.html; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - # location / { - # } + # location / { + # } - # error_page 404 /404.html; - # location = /40x.html { - # } + # error_page 404 /404.html; + # location = /40x.html { + # } - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # } + #} + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } -{% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; +{% if FLEET_MANAGER %} + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ managerip }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } - } + } {% endif %} # Settings for a TLS enabled server. - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; + server { + listen 443 ssl http2 default_server; + #listen [::]:443 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index index.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { + proxy_pass http://{{ managerip }}:9822; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location / { + auth_request /auth/sessions/whoami; + proxy_pass http://{{ managerip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~ ^/auth/.*?(whoami|login|logout|settings) { + rewrite /auth/(.*) /$1 break; + proxy_pass http://{{ managerip }}:4433; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /cyberchef/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef { - rewrite ^ /cyberchef/ permanent; - } + location /navigator/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /packages/ { + try_files $uri =206; + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /grafana/ { + auth_request /auth/sessions/whoami; + rewrite /grafana/(.*) /$1 break; + proxy_pass http://{{ managerip }}:3000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/ { + auth_request /auth/sessions/whoami; + rewrite /kibana/(.*) /$1 break; + proxy_pass http://{{ managerip }}:5601/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /nodered/ { + proxy_pass http://{{ managerip }}:1880/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /playbook/ { + proxy_pass http://{{ managerip }}:3200/playbook/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- if FLEET_NODE %} + location /fleet/ { + return 301 https://{{ FLEET_IP }}/fleet; + } + {%- else %} + location /fleet/ { + proxy_pass https://{{ managerip }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- endif %} - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:4200/navigator/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /thehive/ { + proxy_pass http://{{ managerip }}:9000/thehive/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} + location /cortex/ { + proxy_pass http://{{ managerip }}:9001/cortex/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /soctopus/ { + proxy_pass http://{{ managerip }}:7000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/soc/ { + rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; + } - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } + location /sensoroniagents/ { + proxy_pass http://{{ managerip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } + error_page 401 = @error401; - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location @error401 { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + return 302 /auth/self-service/browser/flows/login; + } - error_page 401 = @error401; + #error_page 404 /404.html; + # location = /usr/share/nginx/html/40x.html { + #} - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /usr/share/nginx/html/40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } } diff --git a/salt/nginx/etc/nginx.conf.so-fleet b/salt/nginx/etc/nginx.conf.so-fleet index c4144447c..937f09a5b 100644 --- a/salt/nginx/etc/nginx.conf.so-fleet +++ b/salt/nginx/etc/nginx.conf.so-fleet @@ -14,87 +14,87 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - include /etc/nginx/conf.d/*.conf; + include /etc/nginx/conf.d/*.conf; - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ MAINIP }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ MAINIP }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } - } + } - server { - listen 443 ssl http2 default_server; - server_name _; - root /opt/socore/html/packages; - index index.html; + server { + listen 443 ssl http2 default_server; + server_name _; + root /opt/socore/html/packages; + index index.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location /fleet/ { - proxy_pass https://{{ MAINIP }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /fleet/ { + proxy_pass https://{{ MAINIP }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - #error_page 404 /404.html; - # location = /40x.html { - #} + #error_page 404 /404.html; + # location = /40x.html { + #} - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } } diff --git a/salt/nginx/etc/nginx.conf.so-heavynode b/salt/nginx/etc/nginx.conf.so-heavynode index f3fc913de..7ec3fef7d 100644 --- a/salt/nginx/etc/nginx.conf.so-heavynode +++ b/salt/nginx/etc/nginx.conf.so-heavynode @@ -11,50 +11,50 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - root /usr/share/nginx/html; + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + root /usr/share/nginx/html; - # Load configuration files for the default server block. - include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; - location / { - } + location / { + } - error_page 404 /404.html; - location = /40x.html { - } + error_page 404 /404.html; + location = /40x.html { + } - error_page 500 502 503 504 /50x.html; - location = /50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } + } # Settings for a TLS enabled server. # diff --git a/salt/nginx/etc/nginx.conf.so-manager b/salt/nginx/etc/nginx.conf.so-manager new file mode 100644 index 000000000..bdb342cac --- /dev/null +++ b/salt/nginx/etc/nginx.conf.so-manager @@ -0,0 +1,326 @@ +{%- set managerip = salt['pillar.get']('manager:mainip', '') %} +{%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager') %} +{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} +{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} +# For more information on configuration, see: +# * Official English Documentation: http://nginx.org/en/docs/ +# * Official Russian Documentation: http://nginx.org/ru/docs/ + +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 1024M; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + #server { + # listen 80 default_server; + # listen [::]:80 default_server; + # server_name _; + # root /opt/socore/html; + # index index.html; + + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; + + # location / { + # } + + # error_page 404 /404.html; + # location = /40x.html { + # } + + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # } + #} + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + +{% if FLEET_MANAGER %} + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; + + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ managerip }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } + + } +{% endif %} + +# Settings for a TLS enabled server. + + server { + listen 443 ssl http2 default_server; + #listen [::]:443 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index index.html; + + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; + + location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { + proxy_pass http://{{ managerip }}:9822; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location / { + auth_request /auth/sessions/whoami; + proxy_pass http://{{ managerip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location ~ ^/auth/.*?(whoami|login|logout|settings) { + rewrite /auth/(.*) /$1 break; + proxy_pass http://{{ managerip }}:4433; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /cyberchef/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /navigator/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /packages/ { + try_files $uri =206; + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /grafana/ { + auth_request /auth/sessions/whoami; + rewrite /grafana/(.*) /$1 break; + proxy_pass http://{{ managerip }}:3000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /kibana/ { + auth_request /auth/sessions/whoami; + rewrite /kibana/(.*) /$1 break; + proxy_pass http://{{ managerip }}:5601/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /nodered/ { + proxy_pass http://{{ managerip }}:1880/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /playbook/ { + proxy_pass http://{{ managerip }}:3200/playbook/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + {%- if FLEET_NODE %} + location /fleet/ { + return 301 https://{{ FLEET_IP }}/fleet; + } + {%- else %} + location /fleet/ { + proxy_pass https://{{ managerip }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- endif %} + + location /thehive/ { + proxy_pass http://{{ managerip }}:9000/thehive/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /cortex/ { + proxy_pass http://{{ managerip }}:9001/cortex/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /soctopus/ { + proxy_pass http://{{ managerip }}:7000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /kibana/app/soc/ { + rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; + } + + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } + + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } + + location /sensoroniagents/ { + proxy_pass http://{{ managerip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + error_page 401 = @error401; + + location @error401 { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + return 302 /auth/self-service/browser/flows/login; + } + + #error_page 404 /404.html; + # location = /40x.html { + #} + + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } + +} diff --git a/salt/nginx/etc/nginx.conf.so-managersearch b/salt/nginx/etc/nginx.conf.so-managersearch new file mode 100644 index 000000000..cb7576923 --- /dev/null +++ b/salt/nginx/etc/nginx.conf.so-managersearch @@ -0,0 +1,325 @@ +{%- set managerip = salt['pillar.get']('manager:mainip', '') %} +{%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager') %} +{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} +{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} +# For more information on configuration, see: +# * Official English Documentation: http://nginx.org/en/docs/ +# * Official Russian Documentation: http://nginx.org/ru/docs/ + +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 1024M; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + #server { + # listen 80 default_server; + # listen [::]:80 default_server; + # server_name _; + # root /opt/socore/html; + # index index.html; + + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; + + # location / { + # } + + # error_page 404 /404.html; + # location = /40x.html { + # } + + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # } + #} + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + +{% if FLEET_MANAGER %} + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; + + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ managerip }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } + } +{% endif %} + +# Settings for a TLS enabled server. + + server { + listen 443 ssl http2 default_server; + #listen [::]:443 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index index.html; + + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; + + location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { + proxy_pass http://{{ managerip }}:9822; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location / { + auth_request /auth/sessions/whoami; + proxy_pass http://{{ managerip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location ~ ^/auth/.*?(whoami|login|logout|settings) { + rewrite /auth/(.*) /$1 break; + proxy_pass http://{{ managerip }}:4433; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /cyberchef/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /navigator/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /packages/ { + try_files $uri =206; + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /grafana/ { + auth_request /auth/sessions/whoami; + rewrite /grafana/(.*) /$1 break; + proxy_pass http://{{ managerip }}:3000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /kibana/ { + auth_request /auth/sessions/whoami; + rewrite /kibana/(.*) /$1 break; + proxy_pass http://{{ managerip }}:5601/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /nodered/ { + proxy_pass http://{{ managerip }}:1880/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /playbook/ { + proxy_pass http://{{ managerip }}:3200/playbook/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + {%- if FLEET_NODE %} + location /fleet/ { + return 301 https://{{ FLEET_IP }}/fleet; + } + {%- else %} + location /fleet/ { + proxy_pass https://{{ managerip }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- endif %} + + location /thehive/ { + proxy_pass http://{{ managerip }}:9000/thehive/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /cortex/ { + proxy_pass http://{{ managerip }}:9001/cortex/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /soctopus/ { + proxy_pass http://{{ managerip }}:7000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /kibana/app/soc/ { + rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; + } + + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } + + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } + + location /sensoroniagents/ { + proxy_pass http://{{ managerip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + error_page 401 = @error401; + + location @error401 { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + return 302 /auth/self-service/browser/flows/login; + } + + #error_page 404 /404.html; + # location = /40x.html { + #} + + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } + +} diff --git a/salt/nginx/etc/nginx.conf.so-master b/salt/nginx/etc/nginx.conf.so-master deleted file mode 100644 index 64e1fa7d6..000000000 --- a/salt/nginx/etc/nginx.conf.so-master +++ /dev/null @@ -1,331 +0,0 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} -{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} -{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - # location / { - # } - - # error_page 404 /404.html; - # location = /40x.html { - # } - - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - -{% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - } -{% endif %} - -# Settings for a TLS enabled server. - - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cyberchef { - rewrite ^ /cyberchef/ permanent; - } - - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:4200/navigator/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} - - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } - - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } - - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } - - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - error_page 401 = @error401; - - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -} diff --git a/salt/nginx/etc/nginx.conf.so-mastersearch b/salt/nginx/etc/nginx.conf.so-mastersearch deleted file mode 100644 index 64e1fa7d6..000000000 --- a/salt/nginx/etc/nginx.conf.so-mastersearch +++ /dev/null @@ -1,331 +0,0 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} -{%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} -{%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - # location / { - # } - - # error_page 404 /404.html; - # location = /40x.html { - # } - - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - -{% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - } -{% endif %} - -# Settings for a TLS enabled server. - - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; - - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cyberchef { - rewrite ^ /cyberchef/ permanent; - } - - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:4200/navigator/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} - - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } - - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } - - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } - - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - error_page 401 = @error401; - - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - -} diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index 64e1fa7d6..bdb342cac 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -1,5 +1,5 @@ -{%- set masterip = salt['pillar.get']('master:mainip', '') %} -{%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master') %} +{%- set managerip = salt['pillar.get']('manager:mainip', '') %} +{%- set FLEET_MANAGER = salt['pillar.get']('static:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', None) %} # For more information on configuration, see: @@ -14,318 +14,313 @@ pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { - worker_connections 1024; + worker_connections 1024; } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - client_max_body_size 1024M; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 1024M; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; - #server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /opt/socore/html; - # index index.html; + #server { + # listen 80 default_server; + # listen [::]:80 default_server; + # server_name _; + # root /opt/socore/html; + # index index.html; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - # location / { - # } + # location / { + # } - # error_page 404 /404.html; - # location = /40x.html { - # } + # error_page 404 /404.html; + # location = /40x.html { + # } - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - #} - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # } + #} + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } -{% if FLEET_MASTER %} - server { - listen 8090 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index blank.html; +{% if FLEET_MANAGER %} + server { + listen 8090 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index blank.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - grpc_pass grpcs://{{ masterip }}:8080; - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } + location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { + grpc_pass grpcs://{{ managerip }}:8080; + grpc_set_header Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; + } - } + } {% endif %} # Settings for a TLS enabled server. - server { - listen 443 ssl http2 default_server; - #listen [::]:443 ssl http2 default_server; - server_name _; - root /opt/socore/html; - index index.html; + server { + listen 443 ssl http2 default_server; + #listen [::]:443 ssl http2 default_server; + server_name _; + root /opt/socore/html; + index index.html; - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate "/etc/pki/nginx/server.crt"; + ssl_certificate_key "/etc/pki/nginx/server.key"; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - # Load configuration files for the default server block. - #include /etc/nginx/default.d/*.conf; + # Load configuration files for the default server block. + #include /etc/nginx/default.d/*.conf; - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ masterip }}:9822; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { + proxy_pass http://{{ managerip }}:9822; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location / { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto $scheme; - } + location / { + auth_request /auth/sessions/whoami; + proxy_pass http://{{ managerip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + } - location ~ ^/auth/.*?(whoami|login|logout|settings) { - rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ masterip }}:4433; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location ~ ^/auth/.*?(whoami|login|logout|settings) { + rewrite /auth/(.*) /$1 break; + proxy_pass http://{{ managerip }}:4433; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef/ { - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /cyberchef/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /cyberchef { - rewrite ^ /cyberchef/ permanent; - } + location /navigator/ { + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /packages/ { - try_files $uri =206; - auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /grafana/ { - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:3000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /packages/ { + try_files $uri =206; + auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /grafana/ { + auth_request /auth/sessions/whoami; + rewrite /grafana/(.*) /$1 break; + proxy_pass http://{{ managerip }}:3000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/ { - auth_request /auth/sessions/whoami; - rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ masterip }}:5601/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/ { + auth_request /auth/sessions/whoami; + rewrite /kibana/(.*) /$1 break; + proxy_pass http://{{ managerip }}:5601/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /nodered/ { - proxy_pass http://{{ masterip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /playbook/ { - proxy_pass http://{{ masterip }}:3200/playbook/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /nodered/ { + proxy_pass http://{{ managerip }}:1880/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /playbook/ { + proxy_pass http://{{ managerip }}:3200/playbook/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- if FLEET_NODE %} + location /fleet/ { + return 301 https://{{ FLEET_IP }}/fleet; + } + {%- else %} + location /fleet/ { + proxy_pass https://{{ managerip }}:8080; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + {%- endif %} - location /navigator/ { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ masterip }}:4200/navigator/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /thehive/ { + proxy_pass http://{{ managerip }}:9000/thehive/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - {%- if FLEET_NODE %} - location /fleet/ { - return 301 https://{{ FLEET_IP }}/fleet; - } - {%- else %} - location /fleet/ { - proxy_pass https://{{ masterip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - {%- endif %} + location /cortex/ { + proxy_pass http://{{ managerip }}:9001/cortex/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_http_version 1.1; # this is essential for chunked responses to work + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /soctopus/ { + proxy_pass http://{{ managerip }}:7000/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /thehive/ { - proxy_pass http://{{ masterip }}:9000/thehive/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/soc/ { + rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; + } - location /cortex/ { - proxy_pass http://{{ masterip }}:9001/cortex/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_http_version 1.1; # this is essential for chunked responses to work - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /soctopus/ { - proxy_pass http://{{ masterip }}:7000/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /kibana/app/fleet/ { + rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; + } - location /kibana/app/soc/ { - rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; - } + location /kibana/app/soctopus/ { + rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; + } - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } + location /sensoroniagents/ { + proxy_pass http://{{ managerip }}:9822/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } - location /kibana/app/soctopus/ { - rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; - } + error_page 401 = @error401; - location /sensoroniagents/ { - proxy_pass http://{{ masterip }}:9822/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location @error401 { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + return 302 /auth/self-service/browser/flows/login; + } - error_page 401 = @error401; + #error_page 404 /404.html; + # location = /40x.html { + #} - location @error401 { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; - return 302 /auth/self-service/browser/flows/login; - } - - #error_page 404 /404.html; - # location = /40x.html { - #} - - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } + error_page 500 502 503 504 /50x.html; + location = /usr/share/nginx/html/50x.html { + } + } } diff --git a/salt/navigator/files/nav_layer_playbook.json b/salt/nginx/files/nav_layer_playbook.json similarity index 96% rename from salt/navigator/files/nav_layer_playbook.json rename to salt/nginx/files/nav_layer_playbook.json index 43ed462b7..7b7f39098 100644 --- a/salt/navigator/files/nav_layer_playbook.json +++ b/salt/nginx/files/nav_layer_playbook.json @@ -1,6 +1,6 @@ { "name": "Playbook", - "version": "2.1", + "version": "2.2", "domain": "mitre-enterprise", "description": "Current Coverage of Playbook", "filters": { diff --git a/salt/navigator/files/navigator_config.json b/salt/nginx/files/navigator_config.json similarity index 92% rename from salt/navigator/files/navigator_config.json rename to salt/nginx/files/navigator_config.json index 7e132cbf8..bd40e09ef 100644 --- a/salt/navigator/files/navigator_config.json +++ b/salt/nginx/files/navigator_config.json @@ -1,4 +1,4 @@ -{%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- set ip = salt['pillar.get']('static:managerip', '') %} { "enterprise_attack_url": "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json", @@ -16,7 +16,7 @@ "domain": "mitre-enterprise", - "custom_context_menu_items": [ {"label": "view related plays","url": " https://{{ip}}/playbook/projects/playbook-prod/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=cf_27&op%5Bcf_27%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_24&c%5B%5D=cf_25&c%5B%5D=cf_6&c%5B%5D=updated_on&group_by=&t%5B%5D=&v%5Bcf_27%5D%5B%5D=~Technique_ID~"}], + "custom_context_menu_items": [ {"label": "view related plays","url": " https://{{ip}}/playbook/projects/detection-playbooks/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=cf_15&op%5Bcf_15%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_10&c%5B%5D=cf_13&c%5B%5D=cf_18&c%5B%5D=cf_19&c%5B%5D=cf_1&c%5B%5D=updated_on&v%5Bcf_15%5D%5B%5D=~Technique_ID~"}], "default_layers": { "enabled": true, diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 296774a02..53bb13eec 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,7 +1,8 @@ -{% set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) %} +{% set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) %} {% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %} -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} # Drop the correct nginx config based on role nginxconfdir: @@ -40,23 +41,45 @@ nginxtmp: - group: 939 - makedirs: True +navigatorconfig: + file.managed: + - name: /opt/so/conf/navigator/navigator_config.json + - source: salt://nginx/files/navigator_config.json + - user: 939 + - group: 939 + - makedirs: True + - template: jinja + +navigatordefaultlayer: + file.managed: + - name: /opt/so/conf/navigator/nav_layer_playbook.json + - source: salt://nginx/files/nav_layer_playbook.json + - user: 939 + - group: 939 + - makedirs: True + - replace: False + - template: jinja + so-nginx: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-nginx:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-nginx:{{ VERSION }} - hostname: so-nginx - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/run:rw - - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro + - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro + - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro - /opt/so/conf/fleet/packages:/opt/socore/html/packages + # ATT&CK Navigator binds + - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro + - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro - cap_add: NET_BIND_SERVICE - port_bindings: - 80:80 - 443:443 - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - 8090:8090 {%- endif %} - watch: diff --git a/salt/nodered/files/nodered_load_flows b/salt/nodered/files/nodered_load_flows index 5617b1022..985c1c49a 100644 --- a/salt/nodered/files/nodered_load_flows +++ b/salt/nodered/files/nodered_load_flows @@ -1,4 +1,4 @@ -{%- set ip = salt['pillar.get']('static:masterip', '') -%} +{%- set ip = salt['pillar.get']('static:managerip', '') -%} #!/bin/bash default_salt_dir=/opt/so/saltstack/default diff --git a/salt/nodered/files/so_flows.json b/salt/nodered/files/so_flows.json index 8ab8cbf81..ad780ceb9 100644 --- a/salt/nodered/files/so_flows.json +++ b/salt/nodered/files/so_flows.json @@ -1,4 +1,4 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') -%} {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') -%} {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') -%} -[{"id":"dca608c3.7d8af8","type":"tab","label":"TheHive - Webhook Events","disabled":false,"info":""},{"id":"4db74fa6.2556d","type":"tls-config","z":"","name":"","cert":"","key":"","ca":"","certname":"","keyname":"","caname":"","servername":"","verifyservercert":false},{"id":"aa6cf50d.a02fc8","type":"http in","z":"dca608c3.7d8af8","name":"TheHive Listener","url":"/thehive","method":"post","upload":false,"swaggerDoc":"","x":120,"y":780,"wires":[["2b92aebb.853dc2","2fce29bb.1b1376","82ad0f08.7a53f"]]},{"id":"2b92aebb.853dc2","type":"debug","z":"dca608c3.7d8af8","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","x":470,"y":940,"wires":[]},{"id":"a4ecb84a.805958","type":"switch","z":"dca608c3.7d8af8","name":"Operation","property":"payload.operation","propertyType":"msg","rules":[{"t":"eq","v":"Creation","vt":"str"},{"t":"eq","v":"Update","vt":"str"},{"t":"eq","v":"Delete","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":580,"y":780,"wires":[["f1e954fd.3c21d8"],["65928861.c90a48"],["a259a26c.a21"]],"outputLabels":["Creation","Update","Delete"]},{"id":"f1e954fd.3c21d8","type":"switch","z":"dca608c3.7d8af8","name":"Creation","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":480,"wires":[["e88b4cc2.f6afe"],["8c54e39.a1b4f2"],["64203fe8.e0ad5"],["3511de51.889a02"],["14544a8b.b6b2f5"],["44c595a4.45d45c"],["3eb4bedf.6e20a2"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact","case_task","case_task_log","action","alert","user"],"info":"No webhook data is received for the following events:\n\n- Creation of Dashboard\n- Creation of Case Templates\n"},{"id":"65928861.c90a48","type":"switch","z":"dca608c3.7d8af8","name":"Update","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":860,"wires":[["eebe1748.1cd348"],["d703adc0.12fd1"],["2b738415.408d4c"],["6d97371a.406348"],["4ae621e1.9ae6"],["5786cee2.98109"],["54077728.447648"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact",null,"case_task","case_task_log","alert","user"]},{"id":"a259a26c.a21","type":"switch","z":"dca608c3.7d8af8","name":"Delete","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":890,"y":1200,"wires":[["60c8bcfb.eff1f4"],["df708bab.348308"],["e9a8650c.e20cc8"]],"outputLabels":["case","case_artifact",""],"info":"Deleting a case task doesnt actually trigger a delete event. It triggers an `update` event where the status = cancelled"},{"id":"54077728.447648","type":"switch","z":"dca608c3.7d8af8","name":"User","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Locked","vt":"str"},{"t":"eq","v":"Ok","vt":"str"}],"checkall":"false","repair":false,"outputs":2,"x":1130,"y":980,"wires":[["9429d6c5.5ac788"],["4e3e091c.d35388"]]},{"id":"9429d6c5.5ac788","type":"function","z":"dca608c3.7d8af8","name":"status: Locked","func":"msg.topic = \"[The Hive] A user account was locked\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1380,"y":972,"wires":[[]],"info":"- User account was locked"},{"id":"4e3e091c.d35388","type":"function","z":"dca608c3.7d8af8","name":"status: Ok","func":"msg.topic = \"[The Hive] A user account was changed\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1360,"y":1020,"wires":[[]],"info":"- User account was unlocked\n- User description was changed\n- User role was changed\n- User API key was added\n- User API key was revoked\n"},{"id":"485f3be.1ffcfc4","type":"function","z":"dca608c3.7d8af8","name":"status: Open","func":"// Fires when a Case is updated AND status = open\n// This can include things like TLP/PAP changes\n\nreturn msg;","outputs":1,"noerr":0,"x":1370,"y":660,"wires":[[]]},{"id":"eebe1748.1cd348","type":"switch","z":"dca608c3.7d8af8","name":"case","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Open","vt":"str"}],"checkall":"true","repair":false,"outputs":1,"x":1130,"y":740,"wires":[["485f3be.1ffcfc4","e4b7b4bf.2fb828"]],"info":"- A case was modified"},{"id":"8c54e39.a1b4f2","type":"switch","z":"dca608c3.7d8af8","name":"case_artifact: Run Analyzer","property":"payload.object.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1600,"y":340,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["eb8cfeb7.a7118","a5dd8a8a.065b88"]],"info":"# References\n\n\n"},{"id":"2fce29bb.1b1376","type":"function","z":"dca608c3.7d8af8","name":"Add headers","func":"msg.thehive_url = 'https://{{ MASTERIP }}/thehive';\nmsg.cortex_url = 'https://{{ MASTERIP }}/cortex';\nmsg.cortex_id = 'CORTEX-SERVER-ID';\nreturn msg;","outputs":1,"noerr":0,"x":350,"y":780,"wires":[["a4ecb84a.805958"]]},{"id":"e4b7b4bf.2fb828","type":"function","z":"dca608c3.7d8af8","name":"status: Resolved","func":"// Fires when a case is closed (resolved)\n\nreturn msg;","outputs":1,"noerr":0,"x":1390,"y":720,"wires":[[]]},{"id":"e88b4cc2.f6afe","type":"function","z":"dca608c3.7d8af8","name":"case","func":"// Fires when a case is created\n// or when a responder is generated against a case\n\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":320,"wires":[[]]},{"id":"64203fe8.e0ad5","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is created\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":400,"wires":[[]]},{"id":"3511de51.889a02","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"// Fires when a case task log is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1163,"y":440,"wires":[[]]},{"id":"14544a8b.b6b2f5","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"// Fires when a Responder or Analyzser is Run on an existing observable\n\nreturn msg;","outputs":1,"noerr":0,"x":1173,"y":480,"wires":[[]]},{"id":"2b738415.408d4c","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"\nreturn msg;","outputs":1,"noerr":0,"x":1170,"y":820,"wires":[[]]},{"id":"3eb4bedf.6e20a2","type":"function","z":"dca608c3.7d8af8","name":"user","func":"// Fires when a user is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1133,"y":560,"wires":[[]]},{"id":"d703adc0.12fd1","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"// Fires when an artifact is updated\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":780,"wires":[[]]},{"id":"6d97371a.406348","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is updated\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":860,"wires":[[]]},{"id":"4ae621e1.9ae6","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is updated\n\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":900,"wires":[[]]},{"id":"60c8bcfb.eff1f4","type":"function","z":"dca608c3.7d8af8","name":"case","func":"//Fires when a case is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":1160,"wires":[[]]},{"id":"df708bab.348308","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"//Fires when a case_artifact is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":1200,"wires":[[]]},{"id":"e9a8650c.e20cc8","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":1240,"wires":[[]]},{"id":"5786cee2.98109","type":"function","z":"dca608c3.7d8af8","name":"alert","func":"//Fires when an alert is updated\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":940,"wires":[[]]},{"id":"44c595a4.45d45c","type":"change","z":"dca608c3.7d8af8","d":true,"name":"Convert Alert Msg to Artifacts","rules":[{"t":"move","p":"payload.object.artifacts","pt":"msg","to":"payload","tot":"msg"}],"action":"","property":"","from":"","to":"","reg":false,"x":1200,"y":520,"wires":[["6dcca25e.04bd2c"]]},{"id":"6dcca25e.04bd2c","type":"split","z":"dca608c3.7d8af8","name":"Split Artifacts","splt":"\\n","spltType":"str","arraySplt":1,"arraySpltType":"len","stream":false,"addname":"","x":1430,"y":520,"wires":[["767c84f2.c9ba2c"]]},{"id":"767c84f2.c9ba2c","type":"switch","z":"dca608c3.7d8af8","name":"alert: Run Analyzer","property":"payload.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1630,"y":400,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["a5dd8a8a.065b88","eb8cfeb7.a7118"]],"info":"# References\n\n\n"},{"id":"82ad0f08.7a53f","type":"http response","z":"dca608c3.7d8af8","name":"Ack Event Receipt","statusCode":"200","headers":{},"x":250,"y":940,"wires":[]},{"id":"a5dd8a8a.065b88","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: CERT DNS","func":"msg.analyzer_id = \"4f28afc20d78f98df425e36e561af33f\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1930,"y":420,"wires":[["f050a09f.b2201"]]},{"id":"eb8cfeb7.a7118","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: Urlscan","func":"msg.analyzer_id = \"54e51b62c6c8ddc3cbc3cbdd889a0557\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1920,"y":320,"wires":[["f050a09f.b2201"]]},{"id":"1c448528.3032fb","type":"http request","z":"dca608c3.7d8af8","name":"Submit to Cortex","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ CORTEXKEY }}"},"x":2450,"y":420,"wires":[["ea6614fb.752a78"]]},{"id":"ea6614fb.752a78","type":"debug","z":"dca608c3.7d8af8","name":"Debug","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","targetType":"full","x":2670,"y":360,"wires":[]},{"id":"f050a09f.b2201","type":"switch","z":"dca608c3.7d8af8","name":"Cases vs Alerts","property":"tag","propertyType":"msg","rules":[{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"observable","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":2200,"y":360,"wires":[["f7fca977.a73b28"],["1c448528.3032fb"]],"inputLabels":["Data"],"outputLabels":["Cases","Alerts"]},{"id":"f7fca977.a73b28","type":"http request","z":"dca608c3.7d8af8","name":"Submit to TheHive","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ HIVEKEY }}"},"x":2450,"y":280,"wires":[["ea6614fb.752a78"]]}] +[{"id":"dca608c3.7d8af8","type":"tab","label":"TheHive - Webhook Events","disabled":false,"info":""},{"id":"4db74fa6.2556d","type":"tls-config","z":"","name":"","cert":"","key":"","ca":"","certname":"","keyname":"","caname":"","servername":"","verifyservercert":false},{"id":"aa6cf50d.a02fc8","type":"http in","z":"dca608c3.7d8af8","name":"TheHive Listener","url":"/thehive","method":"post","upload":false,"swaggerDoc":"","x":120,"y":780,"wires":[["2b92aebb.853dc2","2fce29bb.1b1376","82ad0f08.7a53f"]]},{"id":"2b92aebb.853dc2","type":"debug","z":"dca608c3.7d8af8","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","x":470,"y":940,"wires":[]},{"id":"a4ecb84a.805958","type":"switch","z":"dca608c3.7d8af8","name":"Operation","property":"payload.operation","propertyType":"msg","rules":[{"t":"eq","v":"Creation","vt":"str"},{"t":"eq","v":"Update","vt":"str"},{"t":"eq","v":"Delete","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":580,"y":780,"wires":[["f1e954fd.3c21d8"],["65928861.c90a48"],["a259a26c.a21"]],"outputLabels":["Creation","Update","Delete"]},{"id":"f1e954fd.3c21d8","type":"switch","z":"dca608c3.7d8af8","name":"Creation","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":480,"wires":[["e88b4cc2.f6afe"],["8c54e39.a1b4f2"],["64203fe8.e0ad5"],["3511de51.889a02"],["14544a8b.b6b2f5"],["44c595a4.45d45c"],["3eb4bedf.6e20a2"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact","case_task","case_task_log","action","alert","user"],"info":"No webhook data is received for the following events:\n\n- Creation of Dashboard\n- Creation of Case Templates\n"},{"id":"65928861.c90a48","type":"switch","z":"dca608c3.7d8af8","name":"Update","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":860,"wires":[["eebe1748.1cd348"],["d703adc0.12fd1"],["2b738415.408d4c"],["6d97371a.406348"],["4ae621e1.9ae6"],["5786cee2.98109"],["54077728.447648"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact",null,"case_task","case_task_log","alert","user"]},{"id":"a259a26c.a21","type":"switch","z":"dca608c3.7d8af8","name":"Delete","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":890,"y":1200,"wires":[["60c8bcfb.eff1f4"],["df708bab.348308"],["e9a8650c.e20cc8"]],"outputLabels":["case","case_artifact",""],"info":"Deleting a case task doesnt actually trigger a delete event. It triggers an `update` event where the status = cancelled"},{"id":"54077728.447648","type":"switch","z":"dca608c3.7d8af8","name":"User","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Locked","vt":"str"},{"t":"eq","v":"Ok","vt":"str"}],"checkall":"false","repair":false,"outputs":2,"x":1130,"y":980,"wires":[["9429d6c5.5ac788"],["4e3e091c.d35388"]]},{"id":"9429d6c5.5ac788","type":"function","z":"dca608c3.7d8af8","name":"status: Locked","func":"msg.topic = \"[The Hive] A user account was locked\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1380,"y":972,"wires":[[]],"info":"- User account was locked"},{"id":"4e3e091c.d35388","type":"function","z":"dca608c3.7d8af8","name":"status: Ok","func":"msg.topic = \"[The Hive] A user account was changed\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1360,"y":1020,"wires":[[]],"info":"- User account was unlocked\n- User description was changed\n- User role was changed\n- User API key was added\n- User API key was revoked\n"},{"id":"485f3be.1ffcfc4","type":"function","z":"dca608c3.7d8af8","name":"status: Open","func":"// Fires when a Case is updated AND status = open\n// This can include things like TLP/PAP changes\n\nreturn msg;","outputs":1,"noerr":0,"x":1370,"y":660,"wires":[[]]},{"id":"eebe1748.1cd348","type":"switch","z":"dca608c3.7d8af8","name":"case","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Open","vt":"str"}],"checkall":"true","repair":false,"outputs":1,"x":1130,"y":740,"wires":[["485f3be.1ffcfc4","e4b7b4bf.2fb828"]],"info":"- A case was modified"},{"id":"8c54e39.a1b4f2","type":"switch","z":"dca608c3.7d8af8","name":"case_artifact: Run Analyzer","property":"payload.object.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1600,"y":340,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["eb8cfeb7.a7118","a5dd8a8a.065b88"]],"info":"# References\n\n\n"},{"id":"2fce29bb.1b1376","type":"function","z":"dca608c3.7d8af8","name":"Add headers","func":"msg.thehive_url = 'https://{{ MANAGERIP }}/thehive';\nmsg.cortex_url = 'https://{{ MANAGERIP }}/cortex';\nmsg.cortex_id = 'CORTEX-SERVER-ID';\nreturn msg;","outputs":1,"noerr":0,"x":350,"y":780,"wires":[["a4ecb84a.805958"]]},{"id":"e4b7b4bf.2fb828","type":"function","z":"dca608c3.7d8af8","name":"status: Resolved","func":"// Fires when a case is closed (resolved)\n\nreturn msg;","outputs":1,"noerr":0,"x":1390,"y":720,"wires":[[]]},{"id":"e88b4cc2.f6afe","type":"function","z":"dca608c3.7d8af8","name":"case","func":"// Fires when a case is created\n// or when a responder is generated against a case\n\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":320,"wires":[[]]},{"id":"64203fe8.e0ad5","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is created\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":400,"wires":[[]]},{"id":"3511de51.889a02","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"// Fires when a case task log is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1163,"y":440,"wires":[[]]},{"id":"14544a8b.b6b2f5","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"// Fires when a Responder or Analyzser is Run on an existing observable\n\nreturn msg;","outputs":1,"noerr":0,"x":1173,"y":480,"wires":[[]]},{"id":"2b738415.408d4c","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"\nreturn msg;","outputs":1,"noerr":0,"x":1170,"y":820,"wires":[[]]},{"id":"3eb4bedf.6e20a2","type":"function","z":"dca608c3.7d8af8","name":"user","func":"// Fires when a user is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1133,"y":560,"wires":[[]]},{"id":"d703adc0.12fd1","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"// Fires when an artifact is updated\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":780,"wires":[[]]},{"id":"6d97371a.406348","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is updated\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":860,"wires":[[]]},{"id":"4ae621e1.9ae6","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is updated\n\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":900,"wires":[[]]},{"id":"60c8bcfb.eff1f4","type":"function","z":"dca608c3.7d8af8","name":"case","func":"//Fires when a case is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":1160,"wires":[[]]},{"id":"df708bab.348308","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"//Fires when a case_artifact is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":1200,"wires":[[]]},{"id":"e9a8650c.e20cc8","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":1240,"wires":[[]]},{"id":"5786cee2.98109","type":"function","z":"dca608c3.7d8af8","name":"alert","func":"//Fires when an alert is updated\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":940,"wires":[[]]},{"id":"44c595a4.45d45c","type":"change","z":"dca608c3.7d8af8","d":true,"name":"Convert Alert Msg to Artifacts","rules":[{"t":"move","p":"payload.object.artifacts","pt":"msg","to":"payload","tot":"msg"}],"action":"","property":"","from":"","to":"","reg":false,"x":1200,"y":520,"wires":[["6dcca25e.04bd2c"]]},{"id":"6dcca25e.04bd2c","type":"split","z":"dca608c3.7d8af8","name":"Split Artifacts","splt":"\\n","spltType":"str","arraySplt":1,"arraySpltType":"len","stream":false,"addname":"","x":1430,"y":520,"wires":[["767c84f2.c9ba2c"]]},{"id":"767c84f2.c9ba2c","type":"switch","z":"dca608c3.7d8af8","name":"alert: Run Analyzer","property":"payload.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1630,"y":400,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["a5dd8a8a.065b88","eb8cfeb7.a7118"]],"info":"# References\n\n\n"},{"id":"82ad0f08.7a53f","type":"http response","z":"dca608c3.7d8af8","name":"Ack Event Receipt","statusCode":"200","headers":{},"x":250,"y":940,"wires":[]},{"id":"a5dd8a8a.065b88","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: CERT DNS","func":"msg.analyzer_id = \"4f28afc20d78f98df425e36e561af33f\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1930,"y":420,"wires":[["f050a09f.b2201"]]},{"id":"eb8cfeb7.a7118","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: Urlscan","func":"msg.analyzer_id = \"54e51b62c6c8ddc3cbc3cbdd889a0557\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1920,"y":320,"wires":[["f050a09f.b2201"]]},{"id":"1c448528.3032fb","type":"http request","z":"dca608c3.7d8af8","name":"Submit to Cortex","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ CORTEXKEY }}"},"x":2450,"y":420,"wires":[["ea6614fb.752a78"]]},{"id":"ea6614fb.752a78","type":"debug","z":"dca608c3.7d8af8","name":"Debug","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","targetType":"full","x":2670,"y":360,"wires":[]},{"id":"f050a09f.b2201","type":"switch","z":"dca608c3.7d8af8","name":"Cases vs Alerts","property":"tag","propertyType":"msg","rules":[{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"observable","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":2200,"y":360,"wires":[["f7fca977.a73b28"],["1c448528.3032fb"]],"inputLabels":["Data"],"outputLabels":["Cases","Alerts"]},{"id":"f7fca977.a73b28","type":"http request","z":"dca608c3.7d8af8","name":"Submit to TheHive","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ HIVEKEY }}"},"x":2450,"y":280,"wires":[["ea6614fb.752a78"]]}] diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls index c501445a2..bec8f266a 100644 --- a/salt/nodered/init.sls +++ b/salt/nodered/init.sls @@ -13,6 +13,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} + # Create the nodered group noderedgroup: group.present: @@ -61,7 +63,7 @@ noderedlog: so-nodered: docker_container.running: - - image: soshybridhunter/so-nodered:HH1.2.2 + - image: {{ IMAGEREPO }}/so-nodered:HH1.2.2 - interactive: True - binds: - /opt/so/conf/nodered/:/data:rw diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json index 81776b021..76fb0e502 100644 --- a/salt/pcap/files/sensoroni.json +++ b/salt/pcap/files/sensoroni.json @@ -1,17 +1,20 @@ -{%- set MASTER = grains['master'] -%} +{%- set MANAGER = salt['grains.get']('master') -%} {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%} +{%- set CHECKININTERVALMS = salt['pillar.get']('pcap:sensor_checkin_interval_ms') -%} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"debug", "agent": { - "pollIntervalMs": 10000, - "serverUrl": "https://{{ MASTER }}/sensoroniagents", + "pollIntervalMs": {{ CHECKININTERVALMS }}, + "serverUrl": "https://{{ MANAGER }}/sensoroniagents", "verifyCert": false, "modules": { + "importer": {}, "statickeyauth": { "apiKey": "{{ SENSORONIKEY }}" }, "stenoquery": { + "executablePath": "/opt/sensoroni/scripts/stenoquery.sh", "pcapInputPath": "/nsm/pcap", "pcapOutputPath": "/nsm/pcapout" } diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 93203ca5b..1a9de6611 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -13,20 +13,19 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %} {% set BPF_COMPILED = "" %} # PCAP Section -# Create the logstash group stenographergroup: group.present: - name: stenographer - gid: 941 -# Add the logstash user for the jog4j settings stenographer: user.present: - uid: 941 @@ -40,6 +39,13 @@ stenoconfdir: - group: 939 - makedirs: True +sensoroniconfdir: + file.directory: + - name: /opt/so/conf/sensoroni + - user: 939 + - group: 939 + - makedirs: True + {% if BPF_STENO %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} @@ -58,8 +64,8 @@ stenoconf: file.managed: - name: /opt/so/conf/steno/config - source: salt://pcap/files/config - - user: root - - group: root + - user: stenographer + - group: stenographer - mode: 644 - template: jinja - defaults: @@ -67,10 +73,10 @@ stenoconf: sensoroniagentconf: file.managed: - - name: /opt/so/conf/steno/sensoroni.json + - name: /opt/so/conf/sensoroni/sensoroni.json - source: salt://pcap/files/sensoroni.json - - user: stenographer - - group: stenographer + - user: 939 + - group: 939 - mode: 600 - template: jinja @@ -78,7 +84,7 @@ stenoca: file.directory: - name: /opt/so/conf/steno/certs - user: 941 - - group: 941 + - group: 939 pcapdir: file.directory: @@ -97,8 +103,8 @@ pcaptmpdir: pcapoutdir: file.directory: - name: /nsm/pcapout - - user: 941 - - group: 941 + - user: 939 + - group: 939 - makedirs: True pcapindexdir: @@ -115,9 +121,16 @@ stenolog: - group: 941 - makedirs: True +sensoronilog: + file.directory: + - name: /opt/so/log/sensoroni + - user: 939 + - group: 939 + - makedirs: True + so-steno: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-steno:{{ VERSION }} - network_mode: host - privileged: True - port_bindings: @@ -128,10 +141,20 @@ so-steno: - /nsm/pcap:/nsm/pcap:rw - /nsm/pcapindex:/nsm/pcapindex:rw - /nsm/pcaptmp:/tmp:rw - - /nsm/pcapout:/nsm/pcapout:rw - /opt/so/log/stenographer:/var/log/stenographer:rw - - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - - /opt/so/log/stenographer:/opt/sensoroni/logs:rw - watch: - file: /opt/so/conf/steno/config - - file: /opt/so/conf/steno/sensoroni.json + +so-sensoroni: + docker_container.running: + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }} + - network_mode: host + - binds: + - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw + - /nsm/pcap:/nsm/pcap:rw + - /nsm/import:/nsm/import:rw + - /nsm/pcapout:/nsm/pcapout:rw + - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro + - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw + - watch: + - file: /opt/so/conf/sensoroni/sensoroni.json diff --git a/salt/playbook/db_init.sls b/salt/playbook/db_init.sls new file mode 100644 index 000000000..1b2bf7b1a --- /dev/null +++ b/salt/playbook/db_init.sls @@ -0,0 +1,14 @@ + +# This state will import the initial default playbook database. +# If there is an existing playbook database, it will be overwritten - no backups are made. + +include: + - mysql + +salt://playbook/files/playbook_db_init.sh: + cmd.script: + - cwd: /root + - template: jinja + +'sleep 5': + cmd.run \ No newline at end of file diff --git a/salt/playbook/files/playbook-schema.sql b/salt/playbook/files/playbook-schema.sql deleted file mode 100644 index 02eafcbdd..000000000 --- a/salt/playbook/files/playbook-schema.sql +++ /dev/null @@ -1,1224 +0,0 @@ --- MySQL dump 10.13 Distrib 5.7.24, for Linux (x86_64) --- --- Host: localhost Database: playbook --- ------------------------------------------------------ --- Server version 5.7.24 - -/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; -/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; -/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; -/*!40101 SET NAMES utf8 */; -/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; -/*!40103 SET TIME_ZONE='+00:00' */; -/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; -/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; -/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; -/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; - --- --- Table structure for table `ar_internal_metadata` --- - -DROP TABLE IF EXISTS `ar_internal_metadata`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `ar_internal_metadata` ( - `key` varchar(255) NOT NULL, - `value` varchar(255) DEFAULT NULL, - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`key`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `attachments` --- - -DROP TABLE IF EXISTS `attachments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `attachments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `container_id` int(11) DEFAULT NULL, - `container_type` varchar(30) DEFAULT NULL, - `filename` varchar(255) NOT NULL DEFAULT '', - `disk_filename` varchar(255) NOT NULL DEFAULT '', - `filesize` bigint(20) NOT NULL DEFAULT '0', - `content_type` varchar(255) DEFAULT '', - `digest` varchar(64) NOT NULL DEFAULT '', - `downloads` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `description` varchar(255) DEFAULT NULL, - `disk_directory` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_attachments_on_author_id` (`author_id`), - KEY `index_attachments_on_created_on` (`created_on`), - KEY `index_attachments_on_container_id_and_container_type` (`container_id`,`container_type`), - KEY `index_attachments_on_disk_filename` (`disk_filename`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `auth_sources` --- - -DROP TABLE IF EXISTS `auth_sources`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `auth_sources` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(60) NOT NULL DEFAULT '', - `host` varchar(60) DEFAULT NULL, - `port` int(11) DEFAULT NULL, - `account` varchar(255) DEFAULT NULL, - `account_password` varchar(255) DEFAULT '', - `base_dn` varchar(255) DEFAULT NULL, - `attr_login` varchar(30) DEFAULT NULL, - `attr_firstname` varchar(30) DEFAULT NULL, - `attr_lastname` varchar(30) DEFAULT NULL, - `attr_mail` varchar(30) DEFAULT NULL, - `onthefly_register` tinyint(1) NOT NULL DEFAULT '0', - `tls` tinyint(1) NOT NULL DEFAULT '0', - `filter` text, - `timeout` int(11) DEFAULT NULL, - `verify_peer` tinyint(1) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `index_auth_sources_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `boards` --- - -DROP TABLE IF EXISTS `boards`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `boards` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `position` int(11) DEFAULT NULL, - `topics_count` int(11) NOT NULL DEFAULT '0', - `messages_count` int(11) NOT NULL DEFAULT '0', - `last_message_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `boards_project_id` (`project_id`), - KEY `index_boards_on_last_message_id` (`last_message_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `changes` --- - -DROP TABLE IF EXISTS `changes`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changes` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `changeset_id` int(11) NOT NULL, - `action` varchar(1) NOT NULL DEFAULT '', - `path` text NOT NULL, - `from_path` text, - `from_revision` varchar(255) DEFAULT NULL, - `revision` varchar(255) DEFAULT NULL, - `branch` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `changesets_changeset_id` (`changeset_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `changeset_parents` --- - -DROP TABLE IF EXISTS `changeset_parents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changeset_parents` ( - `changeset_id` int(11) NOT NULL, - `parent_id` int(11) NOT NULL, - KEY `changeset_parents_changeset_ids` (`changeset_id`), - KEY `changeset_parents_parent_ids` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `changesets` --- - -DROP TABLE IF EXISTS `changesets`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `repository_id` int(11) NOT NULL, - `revision` varchar(255) NOT NULL, - `committer` varchar(255) DEFAULT NULL, - `committed_on` datetime NOT NULL, - `comments` longtext, - `commit_date` date DEFAULT NULL, - `scmid` varchar(255) DEFAULT NULL, - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `changesets_repos_rev` (`repository_id`,`revision`), - KEY `index_changesets_on_user_id` (`user_id`), - KEY `index_changesets_on_repository_id` (`repository_id`), - KEY `index_changesets_on_committed_on` (`committed_on`), - KEY `changesets_repos_scmid` (`repository_id`,`scmid`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `changesets_issues` --- - -DROP TABLE IF EXISTS `changesets_issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets_issues` ( - `changeset_id` int(11) NOT NULL, - `issue_id` int(11) NOT NULL, - UNIQUE KEY `changesets_issues_ids` (`changeset_id`,`issue_id`), - KEY `index_changesets_issues_on_issue_id` (`issue_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `comments` --- - -DROP TABLE IF EXISTS `comments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `comments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `commented_type` varchar(30) NOT NULL DEFAULT '', - `commented_id` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `content` text, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_comments_on_commented_id_and_commented_type` (`commented_id`,`commented_type`), - KEY `index_comments_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_field_enumerations` --- - -DROP TABLE IF EXISTS `custom_field_enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_field_enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `custom_field_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `position` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_fields` --- - -DROP TABLE IF EXISTS `custom_fields`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(30) NOT NULL DEFAULT '', - `field_format` varchar(30) NOT NULL DEFAULT '', - `possible_values` text, - `regexp` varchar(255) DEFAULT '', - `min_length` int(11) DEFAULT NULL, - `max_length` int(11) DEFAULT NULL, - `is_required` tinyint(1) NOT NULL DEFAULT '0', - `is_for_all` tinyint(1) NOT NULL DEFAULT '0', - `is_filter` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `searchable` tinyint(1) DEFAULT '0', - `default_value` text, - `editable` tinyint(1) DEFAULT '1', - `visible` tinyint(1) NOT NULL DEFAULT '1', - `multiple` tinyint(1) DEFAULT '0', - `format_store` text, - `description` text, - PRIMARY KEY (`id`), - KEY `index_custom_fields_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=18 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_fields_projects` --- - -DROP TABLE IF EXISTS `custom_fields_projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_projects` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_projects_on_custom_field_id_and_project_id` (`custom_field_id`,`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_fields_roles` --- - -DROP TABLE IF EXISTS `custom_fields_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_roles` ( - `custom_field_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `custom_fields_roles_ids` (`custom_field_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_fields_trackers` --- - -DROP TABLE IF EXISTS `custom_fields_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_trackers` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_trackers_on_custom_field_id_and_tracker_id` (`custom_field_id`,`tracker_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `custom_values` --- - -DROP TABLE IF EXISTS `custom_values`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_values` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `customized_type` varchar(30) NOT NULL DEFAULT '', - `customized_id` int(11) NOT NULL DEFAULT '0', - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `value` longtext, - PRIMARY KEY (`id`), - KEY `custom_values_customized` (`customized_type`,`customized_id`), - KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) -) ENGINE=InnoDB AUTO_INCREMENT=11184 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `documents` --- - -DROP TABLE IF EXISTS `documents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `documents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `category_id` int(11) NOT NULL DEFAULT '0', - `title` varchar(255) NOT NULL DEFAULT '', - `description` text, - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `documents_project_id` (`project_id`), - KEY `index_documents_on_category_id` (`category_id`), - KEY `index_documents_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `email_addresses` --- - -DROP TABLE IF EXISTS `email_addresses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `email_addresses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL, - `address` varchar(255) NOT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `notify` tinyint(1) NOT NULL DEFAULT '1', - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_email_addresses_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `enabled_modules` --- - -DROP TABLE IF EXISTS `enabled_modules`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enabled_modules` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL, - PRIMARY KEY (`id`), - KEY `enabled_modules_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `enumerations` --- - -DROP TABLE IF EXISTS `enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(255) DEFAULT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `project_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `position_name` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_enumerations_on_project_id` (`project_id`), - KEY `index_enumerations_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `groups_users` --- - -DROP TABLE IF EXISTS `groups_users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `groups_users` ( - `group_id` int(11) NOT NULL, - `user_id` int(11) NOT NULL, - UNIQUE KEY `groups_users_ids` (`group_id`,`user_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `import_items` --- - -DROP TABLE IF EXISTS `import_items`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `import_items` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `import_id` int(11) NOT NULL, - `position` int(11) NOT NULL, - `obj_id` int(11) DEFAULT NULL, - `message` text, - `unique_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_import_items_on_import_id_and_unique_id` (`import_id`,`unique_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `imports` --- - -DROP TABLE IF EXISTS `imports`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `imports` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(255) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `filename` varchar(255) DEFAULT NULL, - `settings` text, - `total_items` int(11) DEFAULT NULL, - `finished` tinyint(1) NOT NULL DEFAULT '0', - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `issue_categories` --- - -DROP TABLE IF EXISTS `issue_categories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_categories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(60) NOT NULL DEFAULT '', - `assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issue_categories_project_id` (`project_id`), - KEY `index_issue_categories_on_assigned_to_id` (`assigned_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `issue_relations` --- - -DROP TABLE IF EXISTS `issue_relations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_relations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issue_from_id` int(11) NOT NULL, - `issue_to_id` int(11) NOT NULL, - `relation_type` varchar(255) NOT NULL DEFAULT '', - `delay` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `index_issue_relations_on_issue_from_id_and_issue_to_id` (`issue_from_id`,`issue_to_id`), - KEY `index_issue_relations_on_issue_from_id` (`issue_from_id`), - KEY `index_issue_relations_on_issue_to_id` (`issue_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `issue_statuses` --- - -DROP TABLE IF EXISTS `issue_statuses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_statuses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `is_closed` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `default_done_ratio` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_issue_statuses_on_position` (`position`), - KEY `index_issue_statuses_on_is_closed` (`is_closed`) -) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `issues` --- - -DROP TABLE IF EXISTS `issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issues` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL, - `project_id` int(11) NOT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `description` longtext, - `due_date` date DEFAULT NULL, - `category_id` int(11) DEFAULT NULL, - `status_id` int(11) NOT NULL, - `assigned_to_id` int(11) DEFAULT NULL, - `priority_id` int(11) NOT NULL, - `fixed_version_id` int(11) DEFAULT NULL, - `author_id` int(11) NOT NULL, - `lock_version` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `start_date` date DEFAULT NULL, - `done_ratio` int(11) NOT NULL DEFAULT '0', - `estimated_hours` float DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `root_id` int(11) DEFAULT NULL, - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `is_private` tinyint(1) NOT NULL DEFAULT '0', - `closed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issues_project_id` (`project_id`), - KEY `index_issues_on_status_id` (`status_id`), - KEY `index_issues_on_category_id` (`category_id`), - KEY `index_issues_on_assigned_to_id` (`assigned_to_id`), - KEY `index_issues_on_fixed_version_id` (`fixed_version_id`), - KEY `index_issues_on_tracker_id` (`tracker_id`), - KEY `index_issues_on_priority_id` (`priority_id`), - KEY `index_issues_on_author_id` (`author_id`), - KEY `index_issues_on_created_on` (`created_on`), - KEY `index_issues_on_root_id_and_lft_and_rgt` (`root_id`,`lft`,`rgt`), - KEY `index_issues_on_parent_id` (`parent_id`) -) ENGINE=InnoDB AUTO_INCREMENT=620 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `journal_details` --- - -DROP TABLE IF EXISTS `journal_details`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journal_details` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journal_id` int(11) NOT NULL DEFAULT '0', - `property` varchar(30) NOT NULL DEFAULT '', - `prop_key` varchar(30) NOT NULL DEFAULT '', - `old_value` longtext, - `value` longtext, - PRIMARY KEY (`id`), - KEY `journal_details_journal_id` (`journal_id`) -) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `journals` --- - -DROP TABLE IF EXISTS `journals`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journals` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journalized_id` int(11) NOT NULL DEFAULT '0', - `journalized_type` varchar(30) NOT NULL DEFAULT '', - `user_id` int(11) NOT NULL DEFAULT '0', - `notes` longtext, - `created_on` datetime NOT NULL, - `private_notes` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `journals_journalized_id` (`journalized_id`,`journalized_type`), - KEY `index_journals_on_user_id` (`user_id`), - KEY `index_journals_on_journalized_id` (`journalized_id`), - KEY `index_journals_on_created_on` (`created_on`) -) ENGINE=InnoDB AUTO_INCREMENT=624 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `member_roles` --- - -DROP TABLE IF EXISTS `member_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `member_roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `member_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - `inherited_from` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_member_roles_on_member_id` (`member_id`), - KEY `index_member_roles_on_role_id` (`role_id`), - KEY `index_member_roles_on_inherited_from` (`inherited_from`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `members` --- - -DROP TABLE IF EXISTS `members`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `members` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `mail_notification` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - UNIQUE KEY `index_members_on_user_id_and_project_id` (`user_id`,`project_id`), - KEY `index_members_on_user_id` (`user_id`), - KEY `index_members_on_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `messages` --- - -DROP TABLE IF EXISTS `messages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `messages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `board_id` int(11) NOT NULL, - `parent_id` int(11) DEFAULT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `content` text, - `author_id` int(11) DEFAULT NULL, - `replies_count` int(11) NOT NULL DEFAULT '0', - `last_reply_id` int(11) DEFAULT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - `locked` tinyint(1) DEFAULT '0', - `sticky` int(11) DEFAULT '0', - PRIMARY KEY (`id`), - KEY `messages_board_id` (`board_id`), - KEY `messages_parent_id` (`parent_id`), - KEY `index_messages_on_last_reply_id` (`last_reply_id`), - KEY `index_messages_on_author_id` (`author_id`), - KEY `index_messages_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `news` --- - -DROP TABLE IF EXISTS `news`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `news` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `title` varchar(60) NOT NULL DEFAULT '', - `summary` varchar(255) DEFAULT '', - `description` text, - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `comments_count` int(11) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `news_project_id` (`project_id`), - KEY `index_news_on_author_id` (`author_id`), - KEY `index_news_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `open_id_authentication_associations` --- - -DROP TABLE IF EXISTS `open_id_authentication_associations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_associations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issued` int(11) DEFAULT NULL, - `lifetime` int(11) DEFAULT NULL, - `handle` varchar(255) DEFAULT NULL, - `assoc_type` varchar(255) DEFAULT NULL, - `server_url` blob, - `secret` blob, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `open_id_authentication_nonces` --- - -DROP TABLE IF EXISTS `open_id_authentication_nonces`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_nonces` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `timestamp` int(11) NOT NULL, - `server_url` varchar(255) DEFAULT NULL, - `salt` varchar(255) NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `projects` --- - -DROP TABLE IF EXISTS `projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `description` text, - `homepage` varchar(255) DEFAULT '', - `is_public` tinyint(1) NOT NULL DEFAULT '1', - `parent_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `identifier` varchar(255) DEFAULT NULL, - `status` int(11) NOT NULL DEFAULT '1', - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `inherit_members` tinyint(1) NOT NULL DEFAULT '0', - `default_version_id` int(11) DEFAULT NULL, - `default_assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_projects_on_lft` (`lft`), - KEY `index_projects_on_rgt` (`rgt`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `projects_trackers` --- - -DROP TABLE IF EXISTS `projects_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects_trackers` ( - `project_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `projects_trackers_unique` (`project_id`,`tracker_id`), - KEY `projects_trackers_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `queries` --- - -DROP TABLE IF EXISTS `queries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `filters` text, - `user_id` int(11) NOT NULL DEFAULT '0', - `column_names` text, - `sort_criteria` text, - `group_by` varchar(255) DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `visibility` int(11) DEFAULT '0', - `options` text, - PRIMARY KEY (`id`), - KEY `index_queries_on_project_id` (`project_id`), - KEY `index_queries_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `queries_roles` --- - -DROP TABLE IF EXISTS `queries_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries_roles` ( - `query_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `queries_roles_ids` (`query_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `repositories` --- - -DROP TABLE IF EXISTS `repositories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `repositories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `url` varchar(255) NOT NULL DEFAULT '', - `login` varchar(60) DEFAULT '', - `password` varchar(255) DEFAULT '', - `root_url` varchar(255) DEFAULT '', - `type` varchar(255) DEFAULT NULL, - `path_encoding` varchar(64) DEFAULT NULL, - `log_encoding` varchar(64) DEFAULT NULL, - `extra_info` longtext, - `identifier` varchar(255) DEFAULT NULL, - `is_default` tinyint(1) DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_repositories_on_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `roles` --- - -DROP TABLE IF EXISTS `roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `assignable` tinyint(1) DEFAULT '1', - `builtin` int(11) NOT NULL DEFAULT '0', - `permissions` text, - `issues_visibility` varchar(30) NOT NULL DEFAULT 'default', - `users_visibility` varchar(30) NOT NULL DEFAULT 'all', - `time_entries_visibility` varchar(30) NOT NULL DEFAULT 'all', - `all_roles_managed` tinyint(1) NOT NULL DEFAULT '1', - `settings` text, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `roles_managed_roles` --- - -DROP TABLE IF EXISTS `roles_managed_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles_managed_roles` ( - `role_id` int(11) NOT NULL, - `managed_role_id` int(11) NOT NULL, - UNIQUE KEY `index_roles_managed_roles_on_role_id_and_managed_role_id` (`role_id`,`managed_role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `schema_migrations` --- - -DROP TABLE IF EXISTS `schema_migrations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `schema_migrations` ( - `version` varchar(255) NOT NULL, - PRIMARY KEY (`version`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `settings` --- - -DROP TABLE IF EXISTS `settings`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `settings` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `value` text, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_settings_on_name` (`name`) -) ENGINE=InnoDB AUTO_INCREMENT=71 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `time_entries` --- - -DROP TABLE IF EXISTS `time_entries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `time_entries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `issue_id` int(11) DEFAULT NULL, - `hours` float NOT NULL, - `comments` varchar(1024) DEFAULT NULL, - `activity_id` int(11) NOT NULL, - `spent_on` date NOT NULL, - `tyear` int(11) NOT NULL, - `tmonth` int(11) NOT NULL, - `tweek` int(11) NOT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `time_entries_project_id` (`project_id`), - KEY `time_entries_issue_id` (`issue_id`), - KEY `index_time_entries_on_activity_id` (`activity_id`), - KEY `index_time_entries_on_user_id` (`user_id`), - KEY `index_time_entries_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `tokens` --- - -DROP TABLE IF EXISTS `tokens`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `tokens` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `action` varchar(30) NOT NULL DEFAULT '', - `value` varchar(40) NOT NULL DEFAULT '', - `created_on` datetime NOT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `tokens_value` (`value`), - KEY `index_tokens_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=46 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `trackers` --- - -DROP TABLE IF EXISTS `trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `trackers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `is_in_chlog` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `is_in_roadmap` tinyint(1) NOT NULL DEFAULT '1', - `fields_bits` int(11) DEFAULT '0', - `default_status_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `user_preferences` --- - -DROP TABLE IF EXISTS `user_preferences`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_preferences` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `others` text, - `hide_mail` tinyint(1) DEFAULT '1', - `time_zone` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_user_preferences_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `users` --- - -DROP TABLE IF EXISTS `users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `users` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `login` varchar(255) NOT NULL DEFAULT '', - `hashed_password` varchar(40) NOT NULL DEFAULT '', - `firstname` varchar(30) NOT NULL DEFAULT '', - `lastname` varchar(255) NOT NULL DEFAULT '', - `admin` tinyint(1) NOT NULL DEFAULT '0', - `status` int(11) NOT NULL DEFAULT '1', - `last_login_on` datetime DEFAULT NULL, - `language` varchar(5) DEFAULT '', - `auth_source_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `identity_url` varchar(255) DEFAULT NULL, - `mail_notification` varchar(255) NOT NULL DEFAULT '', - `salt` varchar(64) DEFAULT NULL, - `must_change_passwd` tinyint(1) NOT NULL DEFAULT '0', - `passwd_changed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_users_on_id_and_type` (`id`,`type`), - KEY `index_users_on_auth_source_id` (`auth_source_id`), - KEY `index_users_on_type` (`type`) -) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `versions` --- - -DROP TABLE IF EXISTS `versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT '', - `effective_date` date DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `wiki_page_title` varchar(255) DEFAULT NULL, - `status` varchar(255) DEFAULT 'open', - `sharing` varchar(255) NOT NULL DEFAULT 'none', - PRIMARY KEY (`id`), - KEY `versions_project_id` (`project_id`), - KEY `index_versions_on_sharing` (`sharing`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `watchers` --- - -DROP TABLE IF EXISTS `watchers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `watchers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `watchable_type` varchar(255) NOT NULL DEFAULT '', - `watchable_id` int(11) NOT NULL DEFAULT '0', - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `watchers_user_id_type` (`user_id`,`watchable_type`), - KEY `index_watchers_on_user_id` (`user_id`), - KEY `index_watchers_on_watchable_id_and_watchable_type` (`watchable_id`,`watchable_type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `webhooks` --- - -DROP TABLE IF EXISTS `webhooks`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `webhooks` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `url` varchar(255) DEFAULT NULL, - `project_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wiki_content_versions` --- - -DROP TABLE IF EXISTS `wiki_content_versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_content_versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_content_id` int(11) NOT NULL, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `data` longblob, - `compression` varchar(6) DEFAULT '', - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_content_versions_wcid` (`wiki_content_id`), - KEY `index_wiki_content_versions_on_updated_on` (`updated_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wiki_contents` --- - -DROP TABLE IF EXISTS `wiki_contents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_contents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `text` longtext, - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_contents_page_id` (`page_id`), - KEY `index_wiki_contents_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wiki_pages` --- - -DROP TABLE IF EXISTS `wiki_pages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_pages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) NOT NULL, - `created_on` datetime NOT NULL, - `protected` tinyint(1) NOT NULL DEFAULT '0', - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wiki_pages_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_pages_on_wiki_id` (`wiki_id`), - KEY `index_wiki_pages_on_parent_id` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wiki_redirects` --- - -DROP TABLE IF EXISTS `wiki_redirects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_redirects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) DEFAULT NULL, - `redirects_to` varchar(255) DEFAULT NULL, - `created_on` datetime NOT NULL, - `redirects_to_wiki_id` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_redirects_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_redirects_on_wiki_id` (`wiki_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `wikis` --- - -DROP TABLE IF EXISTS `wikis`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wikis` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `start_page` varchar(255) NOT NULL, - `status` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `wikis_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Table structure for table `workflows` --- - -DROP TABLE IF EXISTS `workflows`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `workflows` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL DEFAULT '0', - `old_status_id` int(11) NOT NULL DEFAULT '0', - `new_status_id` int(11) NOT NULL DEFAULT '0', - `role_id` int(11) NOT NULL DEFAULT '0', - `assignee` tinyint(1) NOT NULL DEFAULT '0', - `author` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(30) DEFAULT NULL, - `field_name` varchar(30) DEFAULT NULL, - `rule` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wkfs_role_tracker_old_status` (`role_id`,`tracker_id`,`old_status_id`), - KEY `index_workflows_on_old_status_id` (`old_status_id`), - KEY `index_workflows_on_role_id` (`role_id`), - KEY `index_workflows_on_new_status_id` (`new_status_id`), - KEY `index_workflows_on_tracker_id` (`tracker_id`) -) ENGINE=InnoDB AUTO_INCREMENT=247 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; -/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; - -/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; -/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; -/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; -/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; -/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; -/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; -/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; - --- Dump completed on 2020-05-03 10:09:32 diff --git a/salt/playbook/files/playbook_db_init.sql b/salt/playbook/files/playbook_db_init.sql index 0a10e6eb5..1b1535fe3 100644 --- a/salt/playbook/files/playbook_db_init.sql +++ b/salt/playbook/files/playbook_db_init.sql @@ -356,7 +356,7 @@ CREATE TABLE `custom_fields` ( `description` text, PRIMARY KEY (`id`), KEY `index_custom_fields_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=18 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=27 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -365,7 +365,7 @@ CREATE TABLE `custom_fields` ( LOCK TABLES `custom_fields` WRITE; /*!40000 ALTER TABLE `custom_fields` DISABLE KEYS */; -INSERT INTO `custom_fields` VALUES (1,'IssueCustomField','Title','string',NULL,'',NULL,NULL,0,1,1,1,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(2,'IssueCustomField','Author','string',NULL,'',NULL,NULL,0,1,1,2,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(3,'IssueCustomField','Objective','text',NULL,'',NULL,NULL,0,1,1,13,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nfull_width_layout: \'1\'\n',''),(4,'IssueCustomField','Operational Notes','text',NULL,'',NULL,NULL,0,1,0,14,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(5,'IssueCustomField','Result Analysis','text',NULL,'',NULL,NULL,0,1,0,15,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(6,'IssueCustomField','ElastAlert Config','text',NULL,'',NULL,NULL,0,1,0,16,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(7,'IssueCustomField','HiveID','string',NULL,'',NULL,NULL,0,1,1,12,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(8,'IssueCustomField','References','text',NULL,'',NULL,NULL,0,1,0,6,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'0\'\n',''),(9,'IssueCustomField','Sigma','text',NULL,'',NULL,NULL,0,1,0,17,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(10,'IssueCustomField','Level','list','---\n- low\n- medium\n- high\n- critical\n','',NULL,NULL,0,1,1,3,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(11,'IssueCustomField','PlayID','string',NULL,'',NULL,NULL,0,1,1,8,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(12,'IssueCustomField','Signature ID','string',NULL,'',NULL,NULL,0,1,1,9,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(13,'IssueCustomField','Playbook','list','---\n- Internal\n- imported\n- community\n','',NULL,NULL,0,1,1,4,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(14,'IssueCustomField','Product','list','---\n- windows\n- linux\n- antivirus\n- osquery\n','',NULL,NULL,0,1,1,5,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(15,'IssueCustomField','ATT&CK Technique','list','---\n- T1001\n- T1002\n- T1003\n- T1004\n- T1005\n- T1006\n- T1007\n- T1008\n- T1009\n- T1010\n- T1011\n- T1012\n- T1013\n- T1014\n- T1015\n- T1016\n- T1017\n- T1018\n- T1019\n- T1020\n- T1021\n- T1022\n- T1023\n- T1024\n- T1025\n- T1026\n- T1027\n- T1028\n- T1029\n- T1030\n- T1031\n- T1032\n- T1033\n- T1034\n- T1035\n- T1036\n- T1037\n- T1038\n- T1039\n- T1040\n- T1041\n- T1042\n- T1043\n- T1044\n- T1045\n- T1046\n- T1047\n- T1048\n- T1049\n- T1050\n- T1051\n- T1052\n- T1053\n- T1054\n- T1055\n- T1056\n- T1057\n- T1058\n- T1059\n- T1060\n- T1061\n- T1062\n- T1063\n- T1064\n- T1065\n- T1066\n- T1067\n- T1068\n- T1069\n- T1070\n- T1071\n- T1072\n- T1073\n- T1074\n- T1075\n- T1076\n- T1077\n- T1078\n- T1079\n- T1080\n- T1081\n- T1082\n- T1083\n- T1084\n- T1085\n- T1086\n- T1087\n- T1088\n- T1089\n- T1090\n- T1091\n- T1092\n- T1093\n- T1094\n- T1095\n- T1096\n- T1097\n- T1098\n- T1099\n- T1100\n- T1101\n- T1102\n- T1103\n- T1104\n- T1105\n- T1106\n- T1107\n- T1108\n- T1109\n- T1110\n- T1111\n- T1112\n- T1113\n- T1114\n- T1115\n- T1116\n- T1117\n- T1118\n- T1119\n- T1120\n- T1121\n- T1122\n- T1123\n- T1124\n- T1125\n- T1126\n- T1127\n- T1128\n- T1129\n- T1130\n- T1131\n- T1132\n- T1133\n- T1134\n- T1135\n- T1136\n- T1137\n- T1138\n- T1139\n- T1140\n- T1141\n- T1142\n- T1143\n- T1144\n- T1145\n- T1146\n- T1147\n- T1148\n- T1149\n- T1150\n- T1151\n- T1152\n- T1153\n- T1154\n- T1155\n- T1156\n- T1157\n- T1158\n- T1159\n- T1160\n- T1161\n- T1162\n- T1163\n- T1164\n- T1165\n- T1166\n- T1167\n- T1168\n- T1169\n- T1170\n- T1171\n- T1172\n- T1173\n- T1174\n- T1175\n- T1176\n- T1177\n- T1178\n- T1179\n- T1180\n- T1181\n- T1182\n- T1183\n- T1184\n- T1185\n- T1186\n- T1187\n- T1188\n- T1189\n- T1190\n- T1191\n- T1192\n- T1193\n- T1194\n- T1195\n- T1196\n- T1197\n- T1198\n- T1199\n- T1200\n- T1201\n- T1202\n- T1203\n- T1204\n- T1205\n- T1206\n- T1207\n- T1208\n- T1209\n- T1210\n- T1211\n- T1212\n- T1213\n- T1214\n- T1215\n- T1216\n- T1217\n- T1218\n- T1219\n- T1220\n- T1221\n- T1222\n- T1223\n- T1224\n- T1225\n- T1226\n- T1227\n- T1228\n- T1229\n- T1230\n- T1231\n- T1232\n- T1233\n- T1234\n- T1235\n- T1236\n- T1237\n- T1238\n- T1239\n- T1240\n- T1241\n- T1242\n- T1243\n- T1244\n- T1245\n- T1246\n- T1247\n- T1248\n- T1249\n- T1250\n- T1251\n- T1252\n- T1253\n- T1254\n- T1255\n- T1256\n- T1257\n- T1258\n- T1259\n- T1260\n- T1261\n- T1262\n- T1263\n- T1264\n- T1265\n- T1266\n- T1267\n- T1268\n- T1269\n- T1270\n- T1271\n- T1272\n- T1273\n- T1274\n- T1275\n- T1276\n- T1277\n- T1278\n- T1279\n- T1280\n- T1281\n- T1282\n- T1283\n- T1284\n- T1285\n- T1286\n- T1287\n- T1288\n- T1289\n- T1290\n- T1291\n- T1292\n- T1293\n- T1294\n- T1295\n- T1296\n- T1297\n- T1298\n- T1299\n- T1300\n- T1301\n- T1302\n- T1303\n- T1304\n- T1305\n- T1306\n- T1307\n- T1308\n- T1309\n- T1310\n- T1311\n- T1312\n- T1313\n- T1314\n- T1315\n- T1316\n- T1317\n- T1318\n- T1319\n- T1320\n- T1321\n- T1322\n- T1323\n- T1324\n- T1325\n- T1326\n- T1327\n- T1328\n- T1329\n- T1330\n- T1331\n- T1332\n- T1333\n- T1334\n- T1335\n- T1336\n- T1337\n- T1338\n- T1339\n- T1340\n- T1341\n- T1342\n- T1343\n- T1344\n- T1345\n- T1346\n- T1347\n- T1348\n- T1349\n- T1350\n- T1351\n- T1352\n- T1353\n- T1354\n- T1355\n- T1356\n- T1357\n- T1358\n- T1359\n- T1360\n- T1361\n- T1362\n- T1363\n- T1364\n- T1365\n- T1366\n- T1367\n- T1368\n- T1369\n- T1370\n- T1371\n- T1372\n- T1373\n- T1374\n- T1375\n- T1376\n- T1377\n- T1378\n- T1379\n- T1380\n- T1381\n- T1382\n- T1383\n- T1384\n- T1385\n- T1386\n- T1387\n- T1388\n- T1389\n- T1390\n- T1391\n- T1392\n- T1393\n- T1394\n- T1395\n- T1396\n- T1397\n- T1398\n- T1399\n- T1400\n- T1401\n- T1402\n- T1403\n- T1404\n- T1405\n- T1406\n- T1407\n- T1408\n- T1409\n- T1410\n- T1411\n- T1412\n- T1413\n- T1414\n- T1415\n- T1416\n- T1417\n- T1418\n- T1419\n- T1420\n- T1421\n- T1422\n- T1423\n- T1424\n- T1425\n- T1426\n- T1427\n- T1428\n- T1429\n- T1430\n- T1431\n- T1432\n- T1433\n- T1434\n- T1435\n- T1436\n- T1437\n- T1438\n- T1439\n- T1440\n- T1441\n- T1442\n- T1443\n- T1444\n- T1445\n- T1446\n- T1447\n- T1448\n- T1449\n- T1450\n- T1451\n- T1452\n- T1453\n- T1454\n- T1455\n- T1456\n- T1457\n- T1458\n- T1459\n- T1460\n- T1461\n- T1462\n- T1463\n- T1464\n- T1465\n- T1466\n- T1467\n- T1468\n- T1469\n- T1470\n- T1471\n- T1472\n- T1473\n- T1474\n- T1475\n- T1476\n- T1477\n- T1478\n- T1479\n- T1480\n- T1481\n- T1482\n- T1483\n- T1484\n- T1485\n- T1486\n- T1487\n- T1488\n- T1489\n- T1490\n- T1491\n- T1492\n- T1493\n- T1494\n- T1495\n- T1496\n- T1497\n- T1498\n- T1499\n- T1500\n- T1501\n- T1502\n- T1503\n- T1504\n- T1505\n- T1506\n- T1507\n- T1508\n- T1509\n- T1510\n- T1511\n- T1512\n- T1513\n- T1514\n- T1515\n- T1516\n- T1517\n- T1518\n- T1519\n- T1520\n- T1521\n- T1522\n- T1523\n- T1524\n- T1525\n- T1526\n- T1527\n- T1528\n- T1529\n- T1530\n- T1531\n- T1532\n- T1533\n- T1534\n- T1535\n- T1536\n- T1537\n- T1538\n- T1539\n- T1540\n- T1541\n- T1542\n- T1543\n- T1544\n- T1545\n- T1546\n- T1547\n- T1548\n- T1549\n- T1550\n- T1551\n- T1552\n- T1553\n','',NULL,NULL,0,1,1,7,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://attack.mitre.org/techniques/%value%\nedit_tag_style: \'\'\n',''),(16,'IssueCustomField','Category','list','---\n- win-sysmon\n- win-builtin\n- win-proc\n- win-malware\n- win-other\n- win-powershell\n','',NULL,NULL,0,1,1,10,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(17,'IssueCustomField','Case Analyzers','list','---\n- Urlscan_io_Search - ip,domain,hash,url\n- CERTatPassiveDNS - domain,fqdn,ip\n','',NULL,NULL,0,1,1,11,1,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''); +INSERT INTO `custom_fields` VALUES (1,'IssueCustomField','Title','string',NULL,'',NULL,NULL,0,1,1,1,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(2,'IssueCustomField','Author','string',NULL,'',NULL,NULL,0,1,1,2,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(3,'IssueCustomField','Objective','text',NULL,'',NULL,NULL,0,1,1,14,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nfull_width_layout: \'1\'\n',''),(4,'IssueCustomField','Operational Notes','text',NULL,'',NULL,NULL,0,1,0,15,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(5,'IssueCustomField','Result Analysis','text',NULL,'',NULL,NULL,0,1,0,16,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(6,'IssueCustomField','ElastAlert Config','text',NULL,'',NULL,NULL,0,1,0,17,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(7,'IssueCustomField','HiveID','string',NULL,'',NULL,NULL,0,1,1,13,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(8,'IssueCustomField','References','text',NULL,'',NULL,NULL,0,1,0,6,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'0\'\n',''),(9,'IssueCustomField','Sigma','text',NULL,'',NULL,NULL,0,1,0,18,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(10,'IssueCustomField','Level','list','---\n- low\n- medium\n- high\n- critical\n','',NULL,NULL,0,1,1,3,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(11,'IssueCustomField','PlayID','string',NULL,'',NULL,NULL,0,1,1,8,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(12,'IssueCustomField','Rule ID','string',NULL,'',NULL,NULL,0,1,1,9,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(13,'IssueCustomField','Playbook','list','---\n- Internal\n- imported\n- community\n','',NULL,NULL,0,1,1,4,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(15,'IssueCustomField','ATT&CK Technique','list','---\n- T1001\n- T1002\n- T1003\n- T1004\n- T1005\n- T1006\n- T1007\n- T1008\n- T1009\n- T1010\n- T1011\n- T1012\n- T1013\n- T1014\n- T1015\n- T1016\n- T1017\n- T1018\n- T1019\n- T1020\n- T1021\n- T1022\n- T1023\n- T1024\n- T1025\n- T1026\n- T1027\n- T1028\n- T1029\n- T1030\n- T1031\n- T1032\n- T1033\n- T1034\n- T1035\n- T1036\n- T1037\n- T1038\n- T1039\n- T1040\n- T1041\n- T1042\n- T1043\n- T1044\n- T1045\n- T1046\n- T1047\n- T1048\n- T1049\n- T1050\n- T1051\n- T1052\n- T1053\n- T1054\n- T1055\n- T1056\n- T1057\n- T1058\n- T1059\n- T1060\n- T1061\n- T1062\n- T1063\n- T1064\n- T1065\n- T1066\n- T1067\n- T1068\n- T1069\n- T1070\n- T1071\n- T1072\n- T1073\n- T1074\n- T1075\n- T1076\n- T1077\n- T1078\n- T1079\n- T1080\n- T1081\n- T1082\n- T1083\n- T1084\n- T1085\n- T1086\n- T1087\n- T1088\n- T1089\n- T1090\n- T1091\n- T1092\n- T1093\n- T1094\n- T1095\n- T1096\n- T1097\n- T1098\n- T1099\n- T1100\n- T1101\n- T1102\n- T1103\n- T1104\n- T1105\n- T1106\n- T1107\n- T1108\n- T1109\n- T1110\n- T1111\n- T1112\n- T1113\n- T1114\n- T1115\n- T1116\n- T1117\n- T1118\n- T1119\n- T1120\n- T1121\n- T1122\n- T1123\n- T1124\n- T1125\n- T1126\n- T1127\n- T1128\n- T1129\n- T1130\n- T1131\n- T1132\n- T1133\n- T1134\n- T1135\n- T1136\n- T1137\n- T1138\n- T1139\n- T1140\n- T1141\n- T1142\n- T1143\n- T1144\n- T1145\n- T1146\n- T1147\n- T1148\n- T1149\n- T1150\n- T1151\n- T1152\n- T1153\n- T1154\n- T1155\n- T1156\n- T1157\n- T1158\n- T1159\n- T1160\n- T1161\n- T1162\n- T1163\n- T1164\n- T1165\n- T1166\n- T1167\n- T1168\n- T1169\n- T1170\n- T1171\n- T1172\n- T1173\n- T1174\n- T1175\n- T1176\n- T1177\n- T1178\n- T1179\n- T1180\n- T1181\n- T1182\n- T1183\n- T1184\n- T1185\n- T1186\n- T1187\n- T1188\n- T1189\n- T1190\n- T1191\n- T1192\n- T1193\n- T1194\n- T1195\n- T1196\n- T1197\n- T1198\n- T1199\n- T1200\n- T1201\n- T1202\n- T1203\n- T1204\n- T1205\n- T1206\n- T1207\n- T1208\n- T1209\n- T1210\n- T1211\n- T1212\n- T1213\n- T1214\n- T1215\n- T1216\n- T1217\n- T1218\n- T1219\n- T1220\n- T1221\n- T1222\n- T1223\n- T1480\n- T1482\n- T1483\n- T1484\n- T1485\n- T1486\n- T1487\n- T1488\n- T1489\n- T1490\n- T1491\n- T1492\n- T1493\n- T1494\n- T1495\n- T1496\n- T1497\n- T1498\n- T1499\n- T1500\n- T1501\n- T1502\n- T1503\n- T1504\n- T1505\n- T1506\n- T1514\n- T1518\n- T1519\n- T1522\n- T1525\n- T1526\n- T1527\n- T1528\n- T1529\n- T1530\n- T1531\n- T1534\n- T1535\n- T1536\n- T1537\n- T1538\n- T1539\n- T1540\n- T1541\n- T1542\n- T1543\n- T1544\n- T1545\n- T1546\n- T1547\n- T1548\n- T1549\n- T1550\n- T1551\n- T1552\n- T1553\n- T1554\n- T1555\n- T1556\n- T1557\n- T1558\n- T1559\n- T1560\n- T1561\n- T1562\n- T1563\n- T1564\n- T1565\n- T1566\n- T1567\n- T1568\n- T1569\n- T1570\n- T1571\n- T1572\n- T1573\n- T1574\n- T1575\n- T1576\n- T1577\n- T1578\n- T1579\n- T1580\n- T1581\n- T1582\n- T1583\n- T1584\n- T1585\n- T1586\n- T1587\n- T1588\n- T1589\n- T1590\n- T1591\n- T1592\n- T1593\n- T1594\n- T1595\n- T1596\n- T1597\n- T1598\n- T1599\n- T1600\n- T1601\n- T1602\n- T1603\n- T1604\n- T1605\n- T1606\n- T1607\n- T1608\n- T1609\n- T1610\n- T1611\n- T1612\n- T1613\n- T1614\n- T1615\n- T1616\n- T1617\n- T1618\n- T1619\n- T1620\n- T1621\n- T1622\n- T1623\n- T1624\n- T1625\n- T1626\n- T1627\n- T1628\n- T1629\n- T1630\n- T1631\n- T1632\n- T1633\n- T1634\n- T1635\n- T1636\n- T1637\n- T1638\n- T1639\n- T1640\n- T1641\n- T1642\n- T1643\n- T1644\n- T1645\n- T1646\n- T1647\n- T1648\n- T1649\n- T1650\n- T1651\n- T1652\n- T1653\n- T1654\n- T1655\n- T1656\n- T1657\n- T1658\n- T1659\n- T1660\n- T1661\n- T1662\n- T1663\n- T1664\n- T1665\n- T1666\n- T1667\n- T1668\n- T1669\n- T1670\n- T1671\n- T1672\n- T1673\n- T1674\n- T1675\n- T1676\n- T1677\n- T1678\n- T1679\n- T1680\n- T1681\n- T1682\n- T1683\n- T1684\n- T1685\n- T1686\n- T1687\n- T1688\n- T1689\n- T1690\n- T1691\n- T1692\n- T1693\n- T1694\n- T1695\n- T1696\n- T1697\n- T1698\n- T1699\n- T1700\n- T1701\n- T1702\n- T1703\n- T1704\n- T1705\n- T1706\n- T1707\n- T1708\n- T1709\n- T1710\n- T1711\n- T1712\n- T1713\n- T1714\n- T1715\n- T1716\n- T1717\n- T1718\n- T1719\n- T1720\n- T1721\n- T1722\n- T1723\n- T1724\n- T1725\n- T1726\n- T1727\n- T1728\n- T1729\n- T1730\n- T1731\n- T1732\n- T1733\n- T1734\n- T1735\n- T1736\n- T1737\n- T1738\n- T1739\n- T1740\n- T1741\n- T1742\n- T1743\n- T1744\n- T1745\n- T1746\n- T1747\n- T1748\n- T1749\n- T1750\n- T1751\n- T1752\n','',NULL,NULL,0,1,1,7,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://attack.mitre.org/techniques/%value%\nedit_tag_style: \'\'\n',''),(17,'IssueCustomField','Case Analyzers','list','---\n- Urlscan_io_Search - ip,domain,hash,url\n- CERTatPassiveDNS - domain,fqdn,ip\n','',NULL,NULL,0,1,1,12,1,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(18,'IssueCustomField','Ruleset','string',NULL,'',NULL,NULL,0,1,1,10,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(19,'IssueCustomField','Group','string',NULL,'',NULL,NULL,0,1,1,11,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(20,'IssueCustomField','Product','string',NULL,'',NULL,NULL,0,1,1,5,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(21,'IssueCustomField','Target Log','text',NULL,'',NULL,NULL,0,1,0,19,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(22,'IssueCustomField','Unit Test','list','---\n- Passed\n- Failed\n','',NULL,NULL,0,1,1,20,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(26,'IssueCustomField','License','list','---\n- Apache-2.0\n- BSD-2-Clause\n- BSD-3-Clause\n- CC0-1.0\n- CC-PDDC\n- DRL-1.0\n- LGPL-3.0-only\n- MIT License\n- GPL-2.0-only\n- GPL-3.0-only\n','',NULL,NULL,0,1,0,21,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://spdx.org/licenses/%value%.html\nedit_tag_style: \'\'\n',''); /*!40000 ALTER TABLE `custom_fields` ENABLE KEYS */; UNLOCK TABLES; @@ -435,7 +435,7 @@ CREATE TABLE `custom_fields_trackers` ( LOCK TABLES `custom_fields_trackers` WRITE; /*!40000 ALTER TABLE `custom_fields_trackers` DISABLE KEYS */; -INSERT INTO `custom_fields_trackers` VALUES (1,1),(2,1),(3,1),(4,1),(5,1),(6,1),(7,1),(8,1),(9,1),(10,1),(11,1),(12,1),(13,1),(14,1),(15,1),(16,1),(17,1); +INSERT INTO `custom_fields_trackers` VALUES (1,1),(2,1),(3,1),(4,1),(5,1),(6,1),(7,1),(8,1),(9,1),(10,1),(11,1),(12,1),(13,1),(15,1),(17,1),(18,1),(19,1),(20,1),(21,1),(22,1),(26,1); /*!40000 ALTER TABLE `custom_fields_trackers` ENABLE KEYS */; UNLOCK TABLES; @@ -455,7 +455,7 @@ CREATE TABLE `custom_values` ( PRIMARY KEY (`id`), KEY `custom_values_customized` (`customized_type`,`customized_id`), KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) -) ENGINE=InnoDB AUTO_INCREMENT=11256 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=134139 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -464,7 +464,6 @@ CREATE TABLE `custom_values` ( LOCK TABLES `custom_values` WRITE; /*!40000 ALTER TABLE `custom_values` DISABLE KEYS */; -INSERT INTO `custom_values` VALUES (5638,'Issue',313,1,'Executable in ADS'),(5639,'Issue',313,2,'Florian Roth, @0xrawsec'),(5640,'Issue',313,8,'https://twitter.com/0xrawsec/status/1002478725605273600?s=21'),(5641,'Issue',313,10,'critical'),(5642,'Issue',313,13,'community'),(5643,'Issue',313,14,'windows'),(5645,'Issue',313,11,'7a9593a8c'),(5646,'Issue',313,12,'b69888d4-380c-45ce-9cf9-d9ce46e67821'),(5647,'Issue',313,16,'win-sysmon'),(5648,'Issue',313,17,''),(5649,'Issue',313,7,''),(5650,'Issue',313,3,'Detects the creation of an ADS data stream that contains an executable (non-empty imphash)'),(5651,'Issue',313,4,''),(5652,'Issue',313,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nTargetFilename\nImage'),(5653,'Issue',313,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(5654,'Issue',313,9,'{{collapse(View Sigma)\n
\n\ntitle: Executable in ADS\nid: b69888d4-380c-45ce-9cf9-d9ce46e67821\nstatus: experimental\ndescription: Detects the creation of an ADS data stream that contains an executable\n  (non-empty imphash)\nreferences:\n- https://twitter.com/0xrawsec/status/1002478725605273600?s=21\ntags:\n- attack.defense_evasion\n- attack.t1027\n- attack.s0139\nauthor: Florian Roth, @0xrawsec\ndate: 2018/06/03\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Requirements: Sysmon config with Imphash logging activated\'\ndetection:\n  selection:\n    EventID: 15\n  filter:\n    Imphash:\n    - \'00000000000000000000000000000000\'\n    - \n  condition: selection and not filter\nfields:\n- TargetFilename\n- Image\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(5655,'Issue',313,15,'T1027'),(5656,'Issue',314,1,'Alternate PowerShell Hosts Module Load'),(5657,'Issue',314,2,'Roberto Rodriguez @Cyb3rWard0g'),(5658,'Issue',314,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5659,'Issue',314,10,'high'),(5660,'Issue',314,13,'community'),(5661,'Issue',314,14,'windows'),(5663,'Issue',314,11,'2f468dc10'),(5664,'Issue',314,12,'f67f6c57-257d-4919-a416-69cd31f9aac3'),(5665,'Issue',314,16,'win-sysmon'),(5666,'Issue',314,17,''),(5667,'Issue',314,7,''),(5668,'Issue',314,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5669,'Issue',314,4,''),(5670,'Issue',314,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.'),(5671,'Issue',314,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Module Load\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5672,'Issue',314,9,'{{collapse(View Sigma)\n
\n\ntitle: Alternate PowerShell Hosts Module Load\nid: f67f6c57-257d-4919-a416-69cd31f9aac3\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n  for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Description: system.management.automation\n    ImageLoaded|contains: system.management.automation\n  filter:\n    Image|endswith: \\powershell.exe\n  condition: selection and not filter\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: high\n\n
\n}}'),(5673,'Issue',314,15,'T1086'),(5674,'Issue',315,1,'Alternate PowerShell Hosts Pipe'),(5675,'Issue',315,2,'Roberto Rodriguez @Cyb3rWard0g'),(5676,'Issue',315,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5677,'Issue',315,10,'medium'),(5678,'Issue',315,13,'community'),(5679,'Issue',315,14,'windows'),(5681,'Issue',315,11,'705958333'),(5682,'Issue',315,12,'58cb02d5-78ce-4692-b3e1-dce850aae41a'),(5683,'Issue',315,16,'win-sysmon'),(5684,'Issue',315,17,''),(5685,'Issue',315,7,''),(5686,'Issue',315,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5687,'Issue',315,4,''),(5688,'Issue',315,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nPipeName'),(5689,'Issue',315,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"17\" AND event_data.PipeName.keyword:\\\\PSHost*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Pipe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5690,'Issue',315,9,'{{collapse(View Sigma)\n
\n\ntitle: Alternate PowerShell Hosts Pipe\nid: 58cb02d5-78ce-4692-b3e1-dce850aae41a\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n  for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 17\n    PipeName|startswith: \\PSHost\n  filter:\n    Image|endswith: \\powershell.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- PipeName\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: medium\n\n
\n}}'),(5691,'Issue',315,15,'T1086'),(5692,'Issue',316,1,'OceanLotus Registry Activity'),(5693,'Issue',316,2,'megan201296'),(5694,'Issue',316,8,'https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/'),(5695,'Issue',316,10,'critical'),(5696,'Issue',316,13,'community'),(5697,'Issue',316,14,'windows'),(5699,'Issue',316,11,'515c55bec'),(5700,'Issue',316,12,'4ac5fc44-a601-4c06-955b-309df8c4e9d4'),(5701,'Issue',316,16,'win-sysmon'),(5702,'Issue',316,17,''),(5703,'Issue',316,7,''),(5704,'Issue',316,3,'Detects registry keys created in OceanLotus (also known as APT32) attacks'),(5705,'Issue',316,4,''),(5706,'Issue',316,5,'_False Positives_\nUnknown'),(5707,'Issue',316,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(HKCR\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\DefaultIcon OR HKU\\\\*_Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\* OR HKU\\\\*_Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\* OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E3517E26\\-8E93\\-458D\\-A6DF\\-8030BC80528B\\}\\\\*))\nindex: so-*\nname: OceanLotus Registry Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5708,'Issue',316,9,'{{collapse(View Sigma)\n
\n\ntitle: OceanLotus Registry Activity\nid: 4ac5fc44-a601-4c06-955b-309df8c4e9d4\nstatus: experimental\ndescription: Detects registry keys created in OceanLotus (also known as APT32) attacks\nreferences:\n- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\ntags:\n- attack.t1112\nauthor: megan201296\ndate: 2019/04/14\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n    - HKU\\\\*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n    - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application\'\n    - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon\'\n    - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application\'\n    - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon\'\n    - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application\'\n    - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon\'\n    - HKU\\\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\*\n    - HKU\\\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\\\*\n    - HKU\\\\*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5709,'Issue',316,15,'T1112'),(5710,'Issue',317,1,'Turla Group Named Pipes'),(5711,'Issue',317,2,'Markus Neis'),(5712,'Issue',317,8,'Internal Research'),(5713,'Issue',317,10,'critical'),(5714,'Issue',317,13,'community'),(5715,'Issue',317,14,'windows'),(5716,'Issue',317,15,''),(5717,'Issue',317,11,'9f6d31f18'),(5718,'Issue',317,12,'739915e4-1e70-4778-8b8a-17db02f66db1'),(5719,'Issue',317,16,'win-sysmon'),(5720,'Issue',317,17,''),(5721,'Issue',317,7,''),(5722,'Issue',317,3,'Detects a named pipe used by Turla group samples'),(5723,'Issue',317,4,''),(5724,'Issue',317,5,'_False Positives_\nUnkown'),(5725,'Issue',317,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName:(\"\\\\atctl\" OR \"\\\\userpipe\" OR \"\\\\iehelper\" OR \"\\\\sdlrpc\" OR \"\\\\comnap\"))\nindex: so-*\nname: Turla Group Named Pipes\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5726,'Issue',317,9,'{{collapse(View Sigma)\n
\n\ntitle: Turla Group Named Pipes\nid: 739915e4-1e70-4778-8b8a-17db02f66db1\nstatus: experimental\ndescription: Detects a named pipe used by Turla group samples\nreferences:\n- Internal Research\ndate: 2017/11/06\ntags:\n- attack.g0010\nauthor: Markus Neis\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n  selection:\n    EventID:\n    - 17\n    - 18\n    PipeName:\n    - \\atctl\n    - \\userpipe\n    - \\iehelper\n    - \\sdlrpc\n    - \\comnap\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(5727,'Issue',318,1,'Autorun Keys Modification'),(5728,'Issue',318,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(5729,'Issue',318,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(5730,'Issue',318,10,'medium'),(5731,'Issue',318,13,'community'),(5732,'Issue',318,14,'windows'),(5734,'Issue',318,11,'102e8b3e7'),(5735,'Issue',318,12,'17f878b8-9968-4578-b814-c4217fc5768c'),(5736,'Issue',318,16,'win-sysmon'),(5737,'Issue',318,17,''),(5738,'Issue',318,7,''),(5739,'Issue',318,3,'Detects modification of autostart extensibility point (ASEP) in registry'),(5740,'Issue',318,4,''),(5741,'Issue',318,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason'),(5742,'Issue',318,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders*))\nindex: so-*\nname: Autorun Keys Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5743,'Issue',318,9,'{{collapse(View Sigma)\n
\n\ntitle: Autorun Keys Modification\nid: 17f878b8-9968-4578-b814-c4217fc5768c\ndescription: Detects modification of autostart extensibility point (ASEP) in registry\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject|contains:\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n  condition: selection\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n  keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(5744,'Issue',318,15,'T1060'),(5745,'Issue',319,1,'CACTUSTORCH Remote Thread Creation'),(5746,'Issue',319,2,'@SBousseaden (detection), Thomas Patzke (rule)'),(5747,'Issue',319,8,'https://twitter.com/SBousseaden/status/1090588499517079552\nhttps://github.com/mdsecactivebreach/CACTUSTORCH'),(5748,'Issue',319,10,'high'),(5749,'Issue',319,13,'community'),(5750,'Issue',319,14,'windows'),(5752,'Issue',319,11,'3ea2f31f8'),(5753,'Issue',319,12,'2e4e488a-6164-4811-9ea1-f960c7359c40'),(5754,'Issue',319,16,'win-sysmon'),(5755,'Issue',319,17,''),(5756,'Issue',319,7,''),(5757,'Issue',319,3,'Detects remote thread creation from CACTUSTORCH as described in references.'),(5758,'Issue',319,4,''),(5759,'Issue',319,5,'_False Positives_\nunknown'),(5760,'Issue',319,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\System32\\\\cscript.exe OR *\\\\System32\\\\wscript.exe OR *\\\\System32\\\\mshta.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND event_data.TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: CACTUSTORCH Remote Thread Creation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5761,'Issue',319,9,'{{collapse(View Sigma)\n
\n\ntitle: CACTUSTORCH Remote Thread Creation\nid: 2e4e488a-6164-4811-9ea1-f960c7359c40\ndescription: Detects remote thread creation from CACTUSTORCH as described in references.\nreferences:\n- https://twitter.com/SBousseaden/status/1090588499517079552\n- https://github.com/mdsecactivebreach/CACTUSTORCH\nstatus: experimental\nauthor: \'@SBousseaden (detection), Thomas Patzke (rule)\'\ndate: 2019/02/01\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    SourceImage:\n    - \'*\\System32\\cscript.exe\'\n    - \'*\\System32\\wscript.exe\'\n    - \'*\\System32\\mshta.exe\'\n    - \'*\\winword.exe\'\n    - \'*\\excel.exe\'\n    TargetImage: \'*\\SysWOW64\\\\*\'\n    StartModule:\n  condition: selection\ntags:\n- attack.execution\n- attack.t1055\n- attack.t1064\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5762,'Issue',319,15,'T1055'),(5763,'Issue',319,15,'T1064'),(5764,'Issue',320,1,'CobaltStrike Process Injection'),(5765,'Issue',320,2,'Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community'),(5766,'Issue',320,8,'https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\nhttps://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/'),(5767,'Issue',320,10,'high'),(5768,'Issue',320,13,'community'),(5769,'Issue',320,14,'windows'),(5771,'Issue',320,11,'28d3c60ec'),(5772,'Issue',320,12,'6309645e-122d-4c5b-bb2b-22e4f9c2fa42'),(5773,'Issue',320,16,'win-sysmon'),(5774,'Issue',320,17,''),(5775,'Issue',320,7,''),(5776,'Issue',320,3,'Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons'),(5777,'Issue',320,4,''),(5778,'Issue',320,5,'_False Positives_\nunknown'),(5779,'Issue',320,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))\nindex: so-*\nname: CobaltStrike Process Injection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5780,'Issue',320,9,'{{collapse(View Sigma)\n
\n\ntitle: CobaltStrike Process Injection\nid: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42\ndescription: Detects a possible remote threat creation with certain characteristics\n  which are typical for Cobalt Strike beacons\nreferences:\n- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\n- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/\ntags:\n- attack.defense_evasion\n- attack.t1055\nstatus: experimental\nauthor: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community\ndate: 2018/11/30\nmodified: 2019/11/08\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    TargetProcessAddress|endswith:\n    - 0B80\n    - 0C7C\n    - 0C88\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5781,'Issue',320,15,'T1055'),(5782,'Issue',321,1,'CreateRemoteThread API and LoadLibrary'),(5783,'Issue',321,2,'Roberto Rodriguez @Cyb3rWard0g'),(5784,'Issue',321,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md'),(5785,'Issue',321,10,'critical'),(5786,'Issue',321,13,'community'),(5787,'Issue',321,14,'windows'),(5789,'Issue',321,11,'3325ffed5'),(5790,'Issue',321,12,'052ec6f6-1adc-41e6-907a-f1c813478bee'),(5791,'Issue',321,16,'win-sysmon'),(5792,'Issue',321,17,''),(5793,'Issue',321,7,''),(5794,'Issue',321,3,'Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process'),(5795,'Issue',321,4,''),(5796,'Issue',321,5,'_False Positives_\nUnknown'),(5797,'Issue',321,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.StartModule.keyword:*\\\\kernel32.dll AND StartFunction:\"LoadLibraryA\")\nindex: so-*\nname: CreateRemoteThread API and LoadLibrary\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5798,'Issue',321,9,'{{collapse(View Sigma)\n
\n\ntitle: CreateRemoteThread API and LoadLibrary\nid: 052ec6f6-1adc-41e6-907a-f1c813478bee\ndescription: Detects potential use of CreateRemoteThread api and LoadLibrary function\n  to inject DLL into a process\nstatus: experimental\ndate: 2019/08/11\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    StartModule|endswith: \\kernel32.dll\n    StartFunction: LoadLibraryA\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5799,'Issue',321,15,'T1055'),(5800,'Issue',322,1,'Credentials Dumping Tools Accessing LSASS Memory'),(5801,'Issue',322,2,'Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)'),(5802,'Issue',322,8,'https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\nhttps://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttp://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf'),(5803,'Issue',322,10,'high'),(5804,'Issue',322,13,'community'),(5805,'Issue',322,14,'windows'),(5807,'Issue',322,11,'38beb365c'),(5808,'Issue',322,12,'32d0d3e2-e58d-4d41-926b-18b520b2b32d'),(5809,'Issue',322,16,'win-sysmon'),(5810,'Issue',322,17,''),(5811,'Issue',322,7,''),(5812,'Issue',322,3,'Detects process access LSASS memory which is typical for credentials dumping tools'),(5813,'Issue',322,4,''),(5814,'Issue',322,5,'_False Positives_\nLegitimate software accessing LSASS process for legitimate reason; update the whitelist with it\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage'),(5815,'Issue',322,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\lsass.exe AND event_data.GrantedAccess.keyword:(*0x40* OR *0x1000* OR *0x1400* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) AND (NOT (event_data.ProcessName.keyword:(*\\\\wmiprvse.exe OR *\\\\taskmgr.exe OR *\\\\procexp64.exe OR *\\\\procexp.exe OR *\\\\lsm.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\vmtoolsd.exe))))\nindex: so-*\nname: Credentials Dumping Tools Accessing LSASS Memory\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5816,'Issue',322,9,'{{collapse(View Sigma)\n
\n\ntitle: Credentials Dumping Tools Accessing LSASS Memory\nid: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\nstatus: experimental\ndescription: Detects process access LSASS memory which is typical for credentials\n  dumping tools\nauthor: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas\n  Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community\n  (update)\ndate: 2017/02/16\nmodified: 2019/11/08\nreferences:\n- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage|endswith: \\lsass.exe\n    GrantedAccess|contains:\n    - \'0x40\'\n    - \'0x1000\'\n    - \'0x1400\'\n    - \'0x100000\'\n    - \'0x1410\'\n    - \'0x1010\'\n    - \'0x1438\'\n    - \'0x143a\'\n    - \'0x1418\'\n    - \'0x1f0fff\'\n    - \'0x1f1fff\'\n    - \'0x1f2fff\'\n    - \'0x1f3fff\'\n  filter:\n    ProcessName|endswith:\n    - \\wmiprvse.exe\n    - \\taskmgr.exe\n    - \\procexp64.exe\n    - \\procexp.exe\n    - \\lsm.exe\n    - \\csrss.exe\n    - \\wininit.exe\n    - \\vmtoolsd.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- SourceImage\nfalsepositives:\n- Legitimate software accessing LSASS process for legitimate reason; update the whitelist\n  with it\nlevel: high\n\n
\n}}'),(5817,'Issue',322,15,'T1003'),(5818,'Issue',323,1,'Cred Dump Tools Dropped Files'),(5819,'Issue',323,2,'Teymur Kheirkhabarov, oscd.community'),(5820,'Issue',323,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5821,'Issue',323,10,'high'),(5822,'Issue',323,13,'community'),(5823,'Issue',323,14,'windows'),(5825,'Issue',323,11,'3205565a1'),(5826,'Issue',323,12,'8fbf3271-1ef6-4e94-8210-03c2317947f6'),(5827,'Issue',323,16,'win-sysmon'),(5828,'Issue',323,17,''),(5829,'Issue',323,7,''),(5830,'Issue',323,3,'Files with well-known filenames (parts of credential dump software or files produced by them) creation'),(5831,'Issue',323,4,''),(5832,'Issue',323,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5833,'Issue',323,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\pwdump* OR *\\\\kirbi* OR *\\\\pwhashes* OR *\\\\wce_ccache* OR *\\\\wce_krbtkts* OR *\\\\fgdump\\-log*) AND event_data.TargetFilename.keyword:(*\\\\test.pwd OR *\\\\lsremora64.dll OR *\\\\lsremora.dll OR *\\\\fgexec.exe OR *\\\\wceaux.dll OR *\\\\SAM.out OR *\\\\SECURITY.out OR *\\\\SYSTEM.out OR *\\\\NTDS.out OR *\\\\DumpExt.dll OR *\\\\DumpSvc.exe OR *\\\\cachedump64.exe OR *\\\\cachedump.exe OR *\\\\pstgdump.exe OR *\\\\servpw.exe OR *\\\\servpw64.exe OR *\\\\pwdump.exe OR *\\\\procdump64.exe))\nindex: so-*\nname: Cred Dump Tools Dropped Files\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5834,'Issue',323,9,'{{collapse(View Sigma)\n
\n\ntitle: Cred Dump Tools Dropped Files\nid: 8fbf3271-1ef6-4e94-8210-03c2317947f6\ndescription: Files with well-known filenames (parts of credential dump software or\n  files produced by them) creation\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename|contains:\n    - \\pwdump\n    - \\kirbi\n    - \\pwhashes\n    - \\wce_ccache\n    - \\wce_krbtkts\n    - \\fgdump-log\n    TargetFilename|endswith:\n    - \\test.pwd\n    - \\lsremora64.dll\n    - \\lsremora.dll\n    - \\fgexec.exe\n    - \\wceaux.dll\n    - \\SAM.out\n    - \\SECURITY.out\n    - \\SYSTEM.out\n    - \\NTDS.out\n    - \\DumpExt.dll\n    - \\DumpSvc.exe\n    - \\cachedump64.exe\n    - \\cachedump.exe\n    - \\pstgdump.exe\n    - \\servpw.exe\n    - \\servpw64.exe\n    - \\pwdump.exe\n    - \\procdump64.exe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: high\nstatus: experimental\n\n
\n}}'),(5835,'Issue',323,15,'T1003'),(5836,'Issue',324,1,'Cred Dump-Tools Named Pipes'),(5837,'Issue',324,2,'Teymur Kheirkhabarov, oscd.community'),(5838,'Issue',324,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5839,'Issue',324,10,'critical'),(5840,'Issue',324,13,'community'),(5841,'Issue',324,14,'windows'),(5843,'Issue',324,11,'f819bdb50'),(5844,'Issue',324,12,'961d0ba2-3eea-4303-a930-2cf78bbfcc5e'),(5845,'Issue',324,16,'win-sysmon'),(5846,'Issue',324,17,''),(5847,'Issue',324,7,''),(5848,'Issue',324,3,'Detects well-known credential dumping tools execution via specific named pipes'),(5849,'Issue',324,4,''),(5850,'Issue',324,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5851,'Issue',324,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"17\" AND event_data.PipeName.keyword:(*\\\\lsadump* OR *\\\\cachedump* OR *\\\\wceservicepipe*))\nindex: so-*\nname: Cred Dump-Tools Named Pipes\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5852,'Issue',324,9,'{{collapse(View Sigma)\n
\n\ntitle: Cred Dump-Tools Named Pipes\nid: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e\ndescription: Detects well-known credential dumping tools execution via specific named\n  pipes\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 17\n    PipeName|contains:\n    - \\lsadump\n    - \\cachedump\n    - \\wceservicepipe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: critical\nstatus: experimental\n\n
\n}}'),(5853,'Issue',324,15,'T1003'),(5854,'Issue',325,1,'DHCP Callout DLL Installation'),(5855,'Issue',325,2,'Dimitrios Slamaris'),(5856,'Issue',325,8,'https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\nhttps://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\nhttps://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx'),(5857,'Issue',325,10,'high'),(5858,'Issue',325,13,'community'),(5859,'Issue',325,14,'windows'),(5861,'Issue',325,11,'6fbe5639d'),(5862,'Issue',325,12,'9d3436ef-9476-4c43-acca-90ce06bdf33a'),(5863,'Issue',325,16,'win-sysmon'),(5864,'Issue',325,17,''),(5865,'Issue',325,7,''),(5866,'Issue',325,3,'Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)'),(5867,'Issue',325,4,''),(5868,'Issue',325,5,'_False Positives_\nunknown'),(5869,'Issue',325,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls OR *\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled))\nindex: so-*\nname: DHCP Callout DLL Installation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5870,'Issue',325,9,'{{collapse(View Sigma)\n
\n\ntitle: DHCP Callout DLL Installation\nid: 9d3436ef-9476-4c43-acca-90ce06bdf33a\nstatus: experimental\ndescription: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled\n  parameter in Registry, which can be used to execute code in context of the DHCP\n  server (restart required)\nreferences:\n- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\n- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\n- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\ndate: 2017/05/15\nauthor: Dimitrios Slamaris\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - \'*\\Services\\DHCPServer\\Parameters\\CalloutDlls\'\n    - \'*\\Services\\DHCPServer\\Parameters\\CalloutEnabled\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5871,'Issue',325,15,'T1073'),(5872,'Issue',325,15,'T1112'),(5873,'Issue',326,1,'Disable Security Events Logging Adding Reg Key MiniNt'),(5874,'Issue',326,2,'Ilyas Ochkov, oscd.community'),(5875,'Issue',326,8,'https://twitter.com/0gtweet/status/1182516740955226112'),(5876,'Issue',326,10,'high'),(5877,'Issue',326,13,'community'),(5878,'Issue',326,14,'windows'),(5880,'Issue',326,11,'685c808fd'),(5881,'Issue',326,12,'919f2ef0-be2d-4a7a-b635-eb2b41fde044'),(5882,'Issue',326,16,'win-sysmon'),(5883,'Issue',326,17,''),(5884,'Issue',326,7,''),(5885,'Issue',326,3,'Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot, Windows Event Log service will stopped write events.'),(5886,'Issue',326,4,''),(5887,'Issue',326,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(5888,'Issue',326,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\")))\nindex: so-*\nname: Disable Security Events Logging Adding Reg Key MiniNt\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5889,'Issue',326,9,'{{collapse(View Sigma)\n
\n\ntitle: Disable Security Events Logging Adding Reg Key MiniNt\nid: 919f2ef0-be2d-4a7a-b635-eb2b41fde044\nstatus: experimental\ndescription: Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot,\n  Windows Event Log service will stopped write events.\nreferences:\n- https://twitter.com/0gtweet/status/1182516740955226112\ntags:\n- attack.defense_evasion\n- attack.t1089\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID: 12\n    TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n  - EventID: 14\n    NewName: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(5890,'Issue',326,15,'T1089'),(5891,'Issue',327,1,'Detection of SafetyKatz'),(5892,'Issue',327,2,'Markus Neis'),(5893,'Issue',327,8,'https://github.com/GhostPack/SafetyKatz'),(5894,'Issue',327,10,'high'),(5895,'Issue',327,13,'community'),(5896,'Issue',327,14,'windows'),(5898,'Issue',327,11,'de878e0bb'),(5899,'Issue',327,12,'e074832a-eada-4fd7-94a1-10642b130e16'),(5900,'Issue',327,16,'win-sysmon'),(5901,'Issue',327,17,''),(5902,'Issue',327,7,''),(5903,'Issue',327,3,'Detects possible SafetyKatz Behaviour'),(5904,'Issue',327,4,''),(5905,'Issue',327,5,'_False Positives_\nUnknown'),(5906,'Issue',327,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Temp\\\\debug.bin)\nindex: so-*\nname: Detection of SafetyKatz\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5907,'Issue',327,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of SafetyKatz\nid: e074832a-eada-4fd7-94a1-10642b130e16\nstatus: experimental\ndescription: Detects possible SafetyKatz Behaviour\nreferences:\n- https://github.com/GhostPack/SafetyKatz\ntags:\n- attack.credential_access\n- attack.t1003\nauthor: Markus Neis\ndate: 2018/07/24\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename: \'*\\Temp\\debug.bin\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(5908,'Issue',327,15,'T1003'),(5909,'Issue',328,1,'Suspicious In-Memory Module Execution'),(5910,'Issue',328,2,'Perez Diego (@darkquassar), oscd.community'),(5911,'Issue',328,8,'https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/'),(5912,'Issue',328,10,'critical'),(5913,'Issue',328,13,'community'),(5914,'Issue',328,14,'windows'),(5916,'Issue',328,11,'0b938deb6'),(5917,'Issue',328,12,'5f113a8f-8b61-41ca-b90f-d374fa7e4a39'),(5918,'Issue',328,16,'win-sysmon'),(5919,'Issue',328,17,''),(5920,'Issue',328,7,''),(5921,'Issue',328,3,'Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.'),(5922,'Issue',328,4,''),(5923,'Issue',328,5,'_False Positives_\nLow\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage\nCallTrace'),(5924,'Issue',328,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND (event_data.CallTrace.keyword:(C\\:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\\+*|C\\:\\\\Windows\\\\System32\\\\KERNELBASE.dll\\+*|UNKNOWN\\(*\\) OR *UNKNOWN\\(*\\)|UNKNOWN\\(*\\)) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.CallTrace.keyword:*UNKNOWN* AND event_data.GrantedAccess:(\"0x1F0FFF\" OR \"0x1F1FFF\" OR \"0x143A\" OR \"0x1410\" OR \"0x1010\" OR \"0x1F2FFF\" OR \"0x1F3FFF\" OR \"0x1FFFFF\"))))\nindex: so-*\nname: Suspicious In-Memory Module Execution\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5925,'Issue',328,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious In-Memory Module Execution\nid: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39\ndescription: Detects the access to processes by other suspicious processes which have\n  reflectively loaded libraries in their memory space. An example is SilentTrinity\n  C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack\n  call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as\n  the module name. Usually this means the stack call points to a module that was reflectively\n  loaded in memory. Adding to this, it is not common to see such few calls in the\n  stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most\n  of the functions required by the process to execute certain routines are already\n  present in memory, not requiring any calls to external libraries. The latter should\n  also be considered suspicious.\nstatus: experimental\ndate: 2019/10/27\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/\ntags:\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_01:\n    EventID: 10\n    CallTrace:\n    - C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)\n    - \'*UNKNOWN(*)|UNKNOWN(*)\'\n  selection_02:\n    EventID: 10\n    CallTrace: \'*UNKNOWN*\'\n  granted_access:\n    GrantedAccess:\n    - \'0x1F0FFF\'\n    - \'0x1F1FFF\'\n    - \'0x143A\'\n    - \'0x1410\'\n    - \'0x1010\'\n    - \'0x1F2FFF\'\n    - \'0x1F3FFF\'\n    - \'0x1FFFFF\'\n  condition: selection_01 OR (selection_02 AND granted_access)\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\n- CallTrace\nlevel: critical\nfalsepositives:\n- Low\n\n
\n}}'),(5926,'Issue',328,15,'T1055'),(5927,'Issue',329,1,'In-memory PowerShell'),(5928,'Issue',329,2,'Tom Kern, oscd.community'),(5929,'Issue',329,8,'https://adsecurity.org/?p=2921\nhttps://github.com/p3nt4/PowerShdll'),(5930,'Issue',329,10,'high'),(5931,'Issue',329,13,'community'),(5932,'Issue',329,14,'windows'),(5934,'Issue',329,11,'442bc82a3'),(5935,'Issue',329,12,'092bc4b9-3d1d-43b4-a6b4-8c8acd83522f'),(5936,'Issue',329,16,'win-sysmon'),(5937,'Issue',329,17,''),(5938,'Issue',329,7,''),(5939,'Issue',329,3,'Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter\'s \"load powershell\" extension.'),(5940,'Issue',329,4,''),(5941,'Issue',329,5,'_False Positives_\nUsed by some .NET binaries, minimal on user workstation.'),(5942,'Issue',329,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\System.Management.Automation.Dll OR *\\\\System.Management.Automation.ni.Dll)) AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe) AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: In-memory PowerShell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5943,'Issue',329,9,'{{collapse(View Sigma)\n
\n\ntitle: In-memory PowerShell\nid: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f\nstatus: experimental\ndescription: Detects loading of essential DLL used by PowerShell, but not by the process\n  powershell.exe. Detects meterpreter\'s \"load powershell\" extension.\nauthor: Tom Kern, oscd.community\ndate: 2019/11/14\nmodified: 2019/11/30\nreferences:\n- https://adsecurity.org/?p=2921\n- https://github.com/p3nt4/PowerShdll\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\System.Management.Automation.Dll\n    - \\System.Management.Automation.ni.Dll\n  filter:\n    Image|endswith:\n    - \\powershell.exe\n    - \\WINDOWS\\System32\\sdiagnhost.exe\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Used by some .NET binaries, minimal on user workstation.\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(5944,'Issue',329,15,'T1086'),(5945,'Issue',330,1,'Suspect Svchost Memory Asccess'),(5946,'Issue',330,2,'Tim Burrell'),(5947,'Issue',330,8,'https://github.com/hlldz/Invoke-Phant0m\nhttps://twitter.com/timbmsft/status/900724491076214784'),(5948,'Issue',330,10,'high'),(5949,'Issue',330,13,'community'),(5950,'Issue',330,14,'windows'),(5952,'Issue',330,11,'ff9ac8949'),(5953,'Issue',330,12,'166e9c50-8cd9-44af-815d-d1f0c0e90dde'),(5954,'Issue',330,16,'win-sysmon'),(5955,'Issue',330,17,''),(5956,'Issue',330,7,''),(5957,'Issue',330,3,'Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.'),(5958,'Issue',330,4,''),(5959,'Issue',330,5,'_False Positives_\nunknown'),(5960,'Issue',330,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\windows\\\\system32\\\\svchost.exe AND event_data.GrantedAccess:\"0x1f3fff\" AND event_data.CallTrace.keyword:(*unknown*))\nindex: so-*\nname: Suspect Svchost Memory Asccess\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5961,'Issue',330,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspect Svchost Memory Asccess\nid: 166e9c50-8cd9-44af-815d-d1f0c0e90dde\nstatus: experimental\ndescription: Detects suspect access to svchost process memory such as that used by\n  Invoke-Phantom to kill the winRM windows event logging service.\nauthor: Tim Burrell\ndate: 2020/01/02\nreferences:\n- https://github.com/hlldz/Invoke-Phant0m\n- https://twitter.com/timbmsft/status/900724491076214784\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: \'*\\windows\\system32\\svchost.exe\'\n    GrantedAccess: \'0x1f3fff\'\n    CallTrace:\n    - \'*unknown*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5962,'Issue',330,15,'T1089'),(5963,'Issue',331,1,'LSASS Memory Dump'),(5964,'Issue',331,2,'Samir Bousseaden'),(5965,'Issue',331,8,'https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html'),(5966,'Issue',331,10,'high'),(5967,'Issue',331,13,'community'),(5968,'Issue',331,14,'windows'),(5970,'Issue',331,11,'183b4c501'),(5971,'Issue',331,12,'5ef9853e-4d0e-4a70-846f-a9ca37d876da'),(5972,'Issue',331,16,'win-sysmon'),(5973,'Issue',331,17,''),(5974,'Issue',331,7,''),(5975,'Issue',331,3,'Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10'),(5976,'Issue',331,4,''),(5977,'Issue',331,5,'_False Positives_\nunknown'),(5978,'Issue',331,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.GrantedAccess:\"0x1fffff\" AND event_data.CallTrace.keyword:(*dbghelp.dll* OR *dbgcore.dll*))\nindex: so-*\nname: LSASS Memory Dump\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5979,'Issue',331,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dump\nid: 5ef9853e-4d0e-4a70-846f-a9ca37d876da\nstatus: experimental\ndescription: Detects process LSASS memory dump using procdump or taskmgr based on\n  the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10\nauthor: Samir Bousseaden\ndate: 2019/04/03\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: C:\\windows\\system32\\lsass.exe\n    GrantedAccess: \'0x1fffff\'\n    CallTrace:\n    - \'*dbghelp.dll*\'\n    - \'*dbgcore.dll*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5980,'Issue',331,15,'T1003'),(5981,'Issue',332,1,'LSASS Memory Dump File Creation'),(5982,'Issue',332,2,'Teymur Kheirkhabarov, oscd.community'),(5983,'Issue',332,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5984,'Issue',332,10,'medium'),(5985,'Issue',332,13,'community'),(5986,'Issue',332,14,'windows'),(5988,'Issue',332,11,'d6052fb1a'),(5989,'Issue',332,12,'5e3d3601-0662-4af0-b1d2-36a05e90c40a'),(5990,'Issue',332,16,'win-sysmon'),(5991,'Issue',332,17,''),(5992,'Issue',332,7,''),(5993,'Issue',332,3,'LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified'),(5994,'Issue',332,4,''),(5995,'Issue',332,5,'_False Positives_\nDumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator\n\n_Interesting Log Fields_\nComputerName\nTargetFileName'),(5996,'Issue',332,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*lsass* AND event_data.TargetFilename.keyword:*dmp)\nindex: so-*\nname: LSASS Memory Dump File Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(5997,'Issue',332,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dump File Creation\nid: 5e3d3601-0662-4af0-b1d2-36a05e90c40a\ndescription: LSASS memory dump creation using operating systems utilities. Procdump\n  will use process name in output file if no name is specified\nauthor: Teymur Kheirkhabarov, oscd.community\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ndate: 2019/10/22\nmodified: 2019/11/13\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename|contains: lsass\n    TargetFilename|endswith: dmp\n  condition: selection\nfields:\n- ComputerName\n- TargetFileName\nfalsepositives:\n- Dumping lsass memory for forensic investigation purposes by legitimate incident\n  responder or forensic invetigator\nlevel: medium\nstatus: experimental\n\n
\n}}'),(5998,'Issue',332,15,'T1003'),(5999,'Issue',333,1,'Malicious Named Pipe'),(6000,'Issue',333,2,'Florian Roth'),(6001,'Issue',333,8,'Various sources'),(6002,'Issue',333,10,'critical'),(6003,'Issue',333,13,'community'),(6004,'Issue',333,14,'windows'),(6006,'Issue',333,11,'192999425'),(6007,'Issue',333,12,'fe3ac066-98bb-432a-b1e7-a5229cb39d4a'),(6008,'Issue',333,16,'win-sysmon'),(6009,'Issue',333,17,''),(6010,'Issue',333,7,''),(6011,'Issue',333,3,'Detects the creation of a named pipe used by known APT malware'),(6012,'Issue',333,4,''),(6013,'Issue',333,5,'_False Positives_\nUnkown'),(6014,'Issue',333,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName.keyword:(\\\\isapi_http OR \\\\isapi_dg OR \\\\isapi_dg2 OR \\\\sdlrpc OR \\\\ahexec OR \\\\winsession OR \\\\lsassw OR \\\\46a676ab7f179e511e30dd2dc41bd388 OR \\\\9f81f59bc58452127884ce513865ed20 OR \\\\e710f28d59aa529d6792ca6ff0ca1b34 OR \\\\rpchlp_3 OR \\\\NamePipe_MoreWindows OR \\\\pcheap_reuse OR \\\\msagent_* OR \\\\gruntsvc))\nindex: so-*\nname: Malicious Named Pipe\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6015,'Issue',333,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Named Pipe\nid: fe3ac066-98bb-432a-b1e7-a5229cb39d4a\nstatus: experimental\ndescription: Detects the creation of a named pipe used by known APT malware\nreferences:\n- Various sources\ndate: 2017/11/06\nauthor: Florian Roth\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n  selection:\n    EventID:\n    - 17\n    - 18\n    PipeName:\n    - \\isapi_http\n    - \\isapi_dg\n    - \\isapi_dg2\n    - \\sdlrpc\n    - \\ahexec\n    - \\winsession\n    - \\lsassw\n    - \\46a676ab7f179e511e30dd2dc41bd388\n    - \\9f81f59bc58452127884ce513865ed20\n    - \\e710f28d59aa529d6792ca6ff0ca1b34\n    - \\rpchlp_3\n    - \\NamePipe_MoreWindows\n    - \\pcheap_reuse\n    - \\msagent_*\n    - \\gruntsvc\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(6016,'Issue',333,15,'T1055'),(6017,'Issue',334,1,'Suspicious Typical Malware Back Connect Ports'),(6018,'Issue',334,2,'Florian Roth'),(6019,'Issue',334,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6020,'Issue',334,10,'medium'),(6021,'Issue',334,13,'community'),(6022,'Issue',334,14,'windows'),(6024,'Issue',334,11,'1e14702d5'),(6025,'Issue',334,12,'4b89abaa-99fe-4232-afdd-8f9aa4d20382'),(6026,'Issue',334,16,'win-sysmon'),(6027,'Issue',334,17,''),(6028,'Issue',334,7,''),(6029,'Issue',334,3,'Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases'),(6030,'Issue',334,4,''),(6031,'Issue',334,5,'_False Positives_\nunknown'),(6032,'Issue',334,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND event_data.Initiated:\"true\" AND destination_port:(\"4443\" OR \"2448\" OR \"8143\" OR \"1777\" OR \"1443\" OR \"243\" OR \"65535\" OR \"13506\" OR \"3360\" OR \"200\" OR \"198\" OR \"49180\" OR \"13507\" OR \"6625\" OR \"4444\" OR \"4438\" OR \"1904\" OR \"13505\" OR \"13504\" OR \"12102\" OR \"9631\" OR \"5445\" OR \"2443\" OR \"777\" OR \"13394\" OR \"13145\" OR \"12103\" OR \"5552\" OR \"3939\" OR \"3675\" OR \"666\" OR \"473\" OR \"5649\" OR \"4455\" OR \"4433\" OR \"1817\" OR \"100\" OR \"65520\" OR \"1960\" OR \"1515\" OR \"743\" OR \"700\" OR \"14154\" OR \"14103\" OR \"14102\" OR \"12322\" OR \"10101\" OR \"7210\" OR \"4040\" OR \"9943\")) AND (NOT ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\Program\\ Files* OR (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND event_data.DestinationIsIpv6:\"false\"))))))\nindex: so-*\nname: Suspicious Typical Malware Back Connect Ports\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6033,'Issue',334,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Typical Malware Back Connect Ports\nid: 4b89abaa-99fe-4232-afdd-8f9aa4d20382\nstatus: experimental\ndescription: Detects programs that connect to typical malware back connect ports based\n  on statistical analysis from two different sandbox system databases\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Use the following config to generate the necessary Event ID 10 Process\n    Access events: VBE7.DLLUNKNOWN\'\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationPort:\n    - \'4443\'\n    - \'2448\'\n    - \'8143\'\n    - \'1777\'\n    - \'1443\'\n    - \'243\'\n    - \'65535\'\n    - \'13506\'\n    - \'3360\'\n    - \'200\'\n    - \'198\'\n    - \'49180\'\n    - \'13507\'\n    - \'6625\'\n    - \'4444\'\n    - \'4438\'\n    - \'1904\'\n    - \'13505\'\n    - \'13504\'\n    - \'12102\'\n    - \'9631\'\n    - \'5445\'\n    - \'2443\'\n    - \'777\'\n    - \'13394\'\n    - \'13145\'\n    - \'12103\'\n    - \'5552\'\n    - \'3939\'\n    - \'3675\'\n    - \'666\'\n    - \'473\'\n    - \'5649\'\n    - \'4455\'\n    - \'4433\'\n    - \'1817\'\n    - \'100\'\n    - \'65520\'\n    - \'1960\'\n    - \'1515\'\n    - \'743\'\n    - \'700\'\n    - \'14154\'\n    - \'14103\'\n    - \'14102\'\n    - \'12322\'\n    - \'10101\'\n    - \'7210\'\n    - \'4040\'\n    - \'9943\'\n  filter1:\n    Image: \'*\\Program Files*\'\n  filter2:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.*\n    DestinationIsIpv6: \'false\'\n  condition: selection and not ( filter1 or filter2 )\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6034,'Issue',334,15,'T1043'),(6035,'Issue',335,1,'Malware Shellcode in Verclsid Target Process'),(6036,'Issue',335,2,'John Lambert (tech), Florian Roth (rule)'),(6037,'Issue',335,8,'https://twitter.com/JohnLaTwC/status/837743453039534080'),(6038,'Issue',335,10,'high'),(6039,'Issue',335,13,'community'),(6040,'Issue',335,14,'windows'),(6042,'Issue',335,11,'0ff3c02c6'),(6043,'Issue',335,12,'b7967e22-3d7e-409b-9ed5-cdae3f9243a1'),(6044,'Issue',335,16,'win-sysmon'),(6045,'Issue',335,17,''),(6046,'Issue',335,7,''),(6047,'Issue',335,3,'Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro'),(6048,'Issue',335,4,''),(6049,'Issue',335,5,'_False Positives_\nunknown'),(6050,'Issue',335,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\verclsid.exe AND event_data.GrantedAccess:\"0x1FFFFF\") AND (event_data.CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (event_data.SourceImage.keyword:*\\\\Microsoft\\ Office\\\\* AND event_data.CallTrace.keyword:*|UNKNOWN*)))\nindex: so-*\nname: Malware Shellcode in Verclsid Target Process\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6051,'Issue',335,9,'{{collapse(View Sigma)\n
\n\ntitle: Malware Shellcode in Verclsid Target Process\nid: b7967e22-3d7e-409b-9ed5-cdae3f9243a1\nstatus: experimental\ndescription: Detects a process access to verclsid.exe that injects shellcode from\n  a Microsoft Office application / VBA macro\nreferences:\n- https://twitter.com/JohnLaTwC/status/837743453039534080\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nauthor: John Lambert (tech), Florian Roth (rule)\ndate: 2017/03/04\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Use the following config to generate the necessary Event ID 10 Process\n    Access events: VBE7.DLLUNKNOWN\'\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: \'*\\verclsid.exe\'\n    GrantedAccess: \'0x1FFFFF\'\n  combination1:\n    CallTrace: \'*|UNKNOWN(*VBE7.DLL*\'\n  combination2:\n    SourceImage: \'*\\Microsoft Office\\\\*\'\n    CallTrace: \'*|UNKNOWN*\'\n  condition: selection and 1 of combination*\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6052,'Issue',335,15,'T1055'),(6053,'Issue',336,1,'Mimikatz In-Memory'),(6054,'Issue',336,2,'none'),(6055,'Issue',336,8,'https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/'),(6056,'Issue',336,10,'medium'),(6057,'Issue',336,13,'community'),(6058,'Issue',336,14,'windows'),(6060,'Issue',336,11,'aa5743912'),(6061,'Issue',336,12,'c0478ead-5336-46c2-bd5e-b4c84bc3a36e'),(6062,'Issue',336,16,'win-sysmon'),(6063,'Issue',336,17,''),(6064,'Issue',336,7,''),(6065,'Issue',336,3,'Detects certain DLL loads when Mimikatz gets executed'),(6066,'Issue',336,4,''),(6067,'Issue',336,5,'_False Positives_\nunknown'),(6068,'Issue',336,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(6069,'Issue',336,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz In-Memory\nid: c0478ead-5336-46c2-bd5e-b4c84bc3a36e\nstatus: experimental\ndescription: Detects certain DLL loads when Mimikatz gets executed\nreferences:\n- https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/\ntags:\n- attack.s0002\n- attack.t1003\n- attack.lateral_movement\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n  product: windows\n  service: sysmon\ndate: 2017/03/13\ndetection:\n  selector:\n    EventID: 7\n    Image: C:\\Windows\\System32\\rundll32.exe\n  dllload1:\n    ImageLoaded: \'*\\vaultcli.dll\'\n  dllload2:\n    ImageLoaded: \'*\\wlanapi.dll\'\n  exclusion:\n    ImageLoaded:\n    - ntdsapi.dll\n    - netapi32.dll\n    - imm32.dll\n    - samlib.dll\n    - combase.dll\n    - srvcli.dll\n    - shcore.dll\n    - ntasn1.dll\n    - cryptdll.dll\n    - logoncli.dll\n  timeframe: 30s\n  condition: selector | near dllload1 and dllload2 and not exclusion\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6070,'Issue',336,15,'T1003'),(6071,'Issue',337,1,'Mimikatz through Windows Remote Management'),(6072,'Issue',337,2,'Patryk Prauze - ING Tech'),(6073,'Issue',337,8,'https://pentestlab.blog/2018/05/15/lateral-movement-winrm/'),(6074,'Issue',337,10,'high'),(6075,'Issue',337,13,'community'),(6076,'Issue',337,14,'windows'),(6078,'Issue',337,11,'e1af444f5'),(6079,'Issue',337,12,'aa35a627-33fb-4d04-a165-d33b4afca3e8'),(6080,'Issue',337,16,'win-sysmon'),(6081,'Issue',337,17,''),(6082,'Issue',337,7,''),(6083,'Issue',337,3,'Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.'),(6084,'Issue',337,4,''),(6085,'Issue',337,5,'_False Positives_\nlow'),(6086,'Issue',337,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.SourceImage:\"C\\:\\\\Windows\\\\system32\\\\wsmprovhost.exe\")\nindex: so-*\nname: Mimikatz through Windows Remote Management\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6087,'Issue',337,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz through Windows Remote Management\nid: aa35a627-33fb-4d04-a165-d33b4afca3e8\ndescription: Detects usage of mimikatz through WinRM protocol by monitoring access\n  to lsass process by wsmprovhost.exe.\nreferences:\n- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/\nstatus: stable\nauthor: Patryk Prauze - ING Tech\ndate: 2019/05/20\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 10\n    TargetImage: C:\\windows\\system32\\lsass.exe\n    SourceImage: C:\\Windows\\system32\\wsmprovhost.exe\n  condition: selection\ntags:\n- attack.credential_access\n- attack.execution\n- attack.t1003\n- attack.t1028\n- attack.s0005\nfalsepositives:\n- low\nlevel: high\n\n
\n}}'),(6088,'Issue',337,15,'T1003'),(6089,'Issue',337,15,'T1028'),(6090,'Issue',338,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API'),(6091,'Issue',338,2,'Perez Diego (@darkquassar), oscd.community'),(6092,'Issue',338,8,'https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\nhttps://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\nhttps://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6'),(6093,'Issue',338,10,'critical'),(6094,'Issue',338,13,'community'),(6095,'Issue',338,14,'windows'),(6097,'Issue',338,11,'465ca35d4'),(6098,'Issue',338,12,'dd5ab153-beaa-4315-9647-65abc5f71541'),(6099,'Issue',338,16,'win-sysmon'),(6100,'Issue',338,17,''),(6101,'Issue',338,7,''),(6102,'Issue',338,3,'Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker\'s machine.'),(6103,'Issue',338,4,''),(6104,'Issue',338,5,'_False Positives_\nPenetration tests\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(6105,'Issue',338,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND process.executable.keyword:(*\\\\msbuild.exe OR *\\\\cmd.exe OR *\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\powershell.exe OR *\\\\word.exe OR *\\\\excel.exe OR *\\\\powerpnt.exe OR *\\\\outlook.exe OR *\\\\monitoringhost.exe OR *\\\\wmic.exe OR *\\\\msiexec.exe OR *\\\\bash.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\schtasks.exe OR *\\\\dnx.exe OR *\\\\regsvcs.exe OR *\\\\sc.exe OR *\\\\scriptrunner.exe)) AND (NOT (process.executable.keyword:*Visual\\ Studio*))) OR ((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND Signed:\"FALSE\") AND (NOT (process.executable.keyword:*Visual\\ Studio*)))))\nindex: so-*\nname: Dumping Lsass.exe Memory with MiniDumpWriteDump API\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6106,'Issue',338,9,'{{collapse(View Sigma)\n
\n\ntitle: Dumping Lsass.exe Memory with MiniDumpWriteDump API\nid: dd5ab153-beaa-4315-9647-65abc5f71541\nstatus: experimental\ndescription: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory\n  in a stealth way. Tools like ProcessHacker and some attacker tradecract use this\n  API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework\n  has a module that leverages this API to dump the contents of Lsass.exe and transfer\n  it over the network back to the attacker\'s machine.\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\n- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\n- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  signedprocess:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\dbghelp.dll\n    - \\dbgcore.dll\n    Image|endswith:\n    - \\msbuild.exe\n    - \\cmd.exe\n    - \\svchost.exe\n    - \\rundll32.exe\n    - \\powershell.exe\n    - \\word.exe\n    - \\excel.exe\n    - \\powerpnt.exe\n    - \\outlook.exe\n    - \\monitoringhost.exe\n    - \\wmic.exe\n    - \\msiexec.exe\n    - \\bash.exe\n    - \\wscript.exe\n    - \\cscript.exe\n    - \\mshta.exe\n    - \\regsvr32.exe\n    - \\schtasks.exe\n    - \\dnx.exe\n    - \\regsvcs.exe\n    - \\sc.exe\n    - \\scriptrunner.exe\n  unsignedprocess:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\dbghelp.dll\n    - \\dbgcore.dll\n    Signed: \'FALSE\'\n  filter:\n    Image|contains: Visual Studio\n  condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Penetration tests\nlevel: critical\n\n
\n}}'),(6107,'Issue',338,15,'T1003'),(6108,'Issue',339,1,'Narrator\'s Feedback-Hub Persistence'),(6109,'Issue',339,2,'Dmitriy Lifanov, oscd.community'),(6110,'Issue',339,8,'https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html'),(6111,'Issue',339,10,'high'),(6112,'Issue',339,13,'community'),(6113,'Issue',339,14,'windows'),(6115,'Issue',339,11,'cfdda5bc0'),(6116,'Issue',339,12,'f663a6d9-9d1b-49b8-b2b1-0637914d199a'),(6117,'Issue',339,16,'win-sysmon'),(6118,'Issue',339,17,''),(6119,'Issue',339,7,''),(6120,'Issue',339,3,'Detects abusing Windows 10 Narrator\'s Feedback-Hub'),(6121,'Issue',339,4,''),(6122,'Issue',339,5,'_False Positives_\nunknown'),(6123,'Issue',339,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.EventType:\"DeleteValue\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute) OR (event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\\\(Default\\))))\nindex: so-*\nname: Narrator\'s Feedback-Hub Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6124,'Issue',339,9,'{{collapse(View Sigma)\n
\n\ntitle: Narrator\'s Feedback-Hub Persistence\nid: f663a6d9-9d1b-49b8-b2b1-0637914d199a\ndescription: Detects abusing Windows 10 Narrator\'s Feedback-Hub\nreferences:\n- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html\ntags:\n- attack.persistence\n- attack.t1060\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection1:\n    EventID: 12\n    EventType: DeleteValue\n    TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute\n  selection2:\n    EventID: 13\n    TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)\n  condition: 1 of them\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6125,'Issue',339,15,'T1060'),(6126,'Issue',340,1,'New DLL Added to AppCertDlls Registry Key'),(6127,'Issue',340,2,'Ilyas Ochkov, oscd.community'),(6128,'Issue',340,8,'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\nhttps://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html'),(6129,'Issue',340,10,'medium'),(6130,'Issue',340,13,'community'),(6131,'Issue',340,14,'windows'),(6133,'Issue',340,11,'c62e6aeb2'),(6134,'Issue',340,12,'6aa1d992-5925-4e9f-a49b-845e51d1de01'),(6135,'Issue',340,16,'win-sysmon'),(6136,'Issue',340,17,''),(6137,'Issue',340,7,''),(6138,'Issue',340,3,'Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.'),(6139,'Issue',340,4,''),(6140,'Issue',340,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6141,'Issue',340,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\")))\nindex: so-*\nname: New DLL Added to AppCertDlls Registry Key\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6142,'Issue',340,9,'{{collapse(View Sigma)\n
\n\ntitle: New DLL Added to AppCertDlls Registry Key\nid: 6aa1d992-5925-4e9f-a49b-845e51d1de01\nstatus: experimental\ndescription: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value\n  in the Registry key can be abused to obtain persistence and privilege escalation\n  by causing a malicious DLL to be loaded and run in the context of separate processes\n  on the computer.\nreferences:\n- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html\ntags:\n- attack.persistence\n- attack.t1182\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID:\n    - 12\n    - 13\n    TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\n  - EventID: 14\n    NewName: HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6143,'Issue',340,15,'T1182'),(6144,'Issue',341,1,'New DLL Added to AppInit_DLLs Registry Key'),(6145,'Issue',341,2,'Ilyas Ochkov, oscd.community'),(6146,'Issue',341,8,'https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html'),(6147,'Issue',341,10,'medium'),(6148,'Issue',341,13,'community'),(6149,'Issue',341,14,'windows'),(6151,'Issue',341,11,'2c5115a75'),(6152,'Issue',341,12,'4f84b697-c9ed-4420-8ab5-e09af5b2345d'),(6153,'Issue',341,16,'win-sysmon'),(6154,'Issue',341,17,''),(6155,'Issue',341,7,''),(6156,'Issue',341,3,'DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll'),(6157,'Issue',341,4,''),(6158,'Issue',341,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6159,'Issue',341,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls)) OR (event.code:\"14\" AND NewName.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls))))\nindex: so-*\nname: New DLL Added to AppInit_DLLs Registry Key\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6160,'Issue',341,9,'{{collapse(View Sigma)\n
\n\ntitle: New DLL Added to AppInit_DLLs Registry Key\nid: 4f84b697-c9ed-4420-8ab5-e09af5b2345d\nstatus: experimental\ndescription: DLLs that are specified in the AppInit_DLLs value in the Registry key\n  HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll\n  into every process that loads user32.dll\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html\ntags:\n- attack.persistence\n- attack.t1103\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n  - EventID:\n    - 12\n    - 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n    - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n  - EventID: 14\n    NewName:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n    - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n  condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6161,'Issue',341,15,'T1103'),(6162,'Issue',342,1,'Password Dumper Remote Thread in LSASS'),(6163,'Issue',342,2,'Thomas Patzke'),(6164,'Issue',342,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm'),(6165,'Issue',342,10,'high'),(6166,'Issue',342,13,'community'),(6167,'Issue',342,14,'windows'),(6169,'Issue',342,11,'5c5659709'),(6170,'Issue',342,12,'f239b326-2f41-4d6b-9dfa-c846a60ef505'),(6171,'Issue',342,16,'win-sysmon'),(6172,'Issue',342,17,''),(6173,'Issue',342,7,''),(6174,'Issue',342,3,'Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.'),(6175,'Issue',342,4,''),(6176,'Issue',342,5,'_False Positives_\nunknown'),(6177,'Issue',342,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.TargetImage:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: Password Dumper Remote Thread in LSASS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6178,'Issue',342,9,'{{collapse(View Sigma)\n
\n\ntitle: Password Dumper Remote Thread in LSASS\nid: f239b326-2f41-4d6b-9dfa-c846a60ef505\ndescription: Detects password dumper activity by monitoring remote thread creation\n  EventID 8 in combination with the lsass.exe process as TargetImage. The process\n  in field Process is the malicious program. A single execution can lead to hundreds\n  of events.\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm\nstatus: stable\nauthor: Thomas Patzke\ndate: 2017/02/19\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    TargetImage: C:\\Windows\\System32\\lsass.exe\n    StartModule:\n  condition: selection\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6179,'Issue',342,15,'T1003'),(6180,'Issue',343,1,'Possible DNS Rebinding'),(6181,'Issue',343,2,'Ilyas Ochkov, oscd.community'),(6182,'Issue',343,8,'https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325'),(6183,'Issue',343,10,'medium'),(6184,'Issue',343,13,'community'),(6185,'Issue',343,14,'windows'),(6187,'Issue',343,11,'238493844'),(6188,'Issue',343,12,'eb07e747-2552-44cd-af36-b659ae0958e4'),(6189,'Issue',343,16,'win-sysmon'),(6190,'Issue',343,17,''),(6191,'Issue',343,7,''),(6192,'Issue',343,3,'Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).'),(6193,'Issue',343,4,''),(6194,'Issue',343,5,'_False Positives_\n Unknown'),(6195,'Issue',343,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\" AND QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*) AND (event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\") AND (NOT (QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*))))\nindex: so-*\nmax_threshold: 3\nmetric_agg_key: QueryName.keyword\nmetric_agg_type: cardinality\nname: Possible DNS Rebinding\npriority: 3\nquery_key: event_data.ComputerName.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(6196,'Issue',343,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible DNS Rebinding\nid: eb07e747-2552-44cd-af36-b659ae0958e4\nstatus: experimental\ndescription: Detects several different DNS-answers by one domain with IPs from internal\n  and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved\n  in host cache for a while TTL).\ndate: 2019/10/25\nmodified: 2019/11/13\nauthor: Ilyas Ochkov, oscd.community\nreferences:\n- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  dns_answer:\n    EventID: 22\n    QueryName: \'*\'\n    QueryStatus: \'0\'\n  filter_int_ip:\n    QueryResults|startswith:\n    - (::ffff:)?10.\n    - (::ffff:)?192.168.\n    - (::ffff:)?172.16.\n    - (::ffff:)?172.17.\n    - (::ffff:)?172.18.\n    - (::ffff:)?172.19.\n    - (::ffff:)?172.20.\n    - (::ffff:)?172.21.\n    - (::ffff:)?172.22.\n    - (::ffff:)?172.23.\n    - (::ffff:)?172.24.\n    - (::ffff:)?172.25.\n    - (::ffff:)?172.26.\n    - (::ffff:)?172.27.\n    - (::ffff:)?172.28.\n    - (::ffff:)?172.29.\n    - (::ffff:)?172.30.\n    - (::ffff:)?172.31.\n    - (::ffff:)?127.\n  timeframe: 30s\n  condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip)\n    | count(QueryName) by ComputerName > 3\nlevel: medium\n\n
\n}}'),(6197,'Issue',343,15,'T1043'),(6198,'Issue',344,1,'Possible Privilege Escalation via Service Permissions Weakness'),(6199,'Issue',344,2,'Teymur Kheirkhabarov'),(6200,'Issue',344,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/31/insecure-registry-permissions/'),(6201,'Issue',344,10,'high'),(6202,'Issue',344,13,'community'),(6203,'Issue',344,14,'windows'),(6205,'Issue',344,11,'ca6038e23'),(6206,'Issue',344,12,'0f9c21f1-6a73-4b0e-9809-cb562cb8d981'),(6207,'Issue',344,16,'win-sysmon'),(6208,'Issue',344,17,''),(6209,'Issue',344,7,''),(6210,'Issue',344,3,'Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level'),(6211,'Issue',344,4,''),(6212,'Issue',344,5,'_False Positives_\nUnknown'),(6213,'Issue',344,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND IntegrityLevel:\"Medium\" AND event_data.TargetObject.keyword:*\\\\services\\* AND event_data.TargetObject.keyword:(*\\\\ImagePath OR *\\\\FailureCommand OR *\\\\Parameters\\\\ServiceDll))\nindex: so-*\nname: Possible Privilege Escalation via Service Permissions Weakness\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6214,'Issue',344,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Privilege Escalation via Service Permissions Weakness\nid: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981\ndescription: Detect modification of services configuration (ImagePath, FailureCommand\n  and ServiceDLL) in registry by processes with Medium integrity level\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1058\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    IntegrityLevel: Medium\n    TargetObject|contains: \\services\\\n    TargetObject|endswith:\n    - \\ImagePath\n    - \\FailureCommand\n    - \\Parameters\\ServiceDll\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(6215,'Issue',344,15,'T1058'),(6216,'Issue',345,1,'PowerShell Execution'),(6217,'Issue',345,2,'Roberto Rodriguez @Cyb3rWard0g'),(6218,'Issue',345,8,'https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml'),(6219,'Issue',345,10,'medium'),(6220,'Issue',345,13,'community'),(6221,'Issue',345,14,'windows'),(6223,'Issue',345,11,'b785c06a3'),(6224,'Issue',345,12,'867613fb-fa60-4497-a017-a82df74a172c'),(6225,'Issue',345,16,'win-sysmon'),(6226,'Issue',345,17,''),(6227,'Issue',345,7,''),(6228,'Issue',345,3,'Detects execution of PowerShell'),(6229,'Issue',345,4,''),(6230,'Issue',345,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nImageLoaded'),(6231,'Issue',345,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*)\nindex: so-*\nname: PowerShell Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6232,'Issue',345,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Execution\nid: 867613fb-fa60-4497-a017-a82df74a172c\ndescription: Detects execution of PowerShell\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml\nlogsource:\n  product: windows\n  service: sysmon\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n  selection:\n    EventID: 7\n    Description: system.management.automation\n    ImageLoaded|contains: system.management.automation\n  condition: selection\nfields:\n- ComputerName\n- Image\n- ProcessID\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6233,'Issue',345,15,'T1086'),(6234,'Issue',346,1,'Malicious PowerShell Commandlet Names'),(6235,'Issue',346,2,'Markus Neis'),(6236,'Issue',346,8,'https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml'),(6237,'Issue',346,10,'high'),(6238,'Issue',346,13,'community'),(6239,'Issue',346,14,'windows'),(6241,'Issue',346,11,'89b3e1259'),(6242,'Issue',346,12,'f331aa1f-8c53-4fc3-b083-cc159bc971cb'),(6243,'Issue',346,16,'win-sysmon'),(6244,'Issue',346,17,''),(6245,'Issue',346,7,''),(6246,'Issue',346,3,'Detects the creation of known powershell scripts for exploitation'),(6247,'Issue',346,4,''),(6248,'Issue',346,5,'_False Positives_\nPenetration Tests'),(6249,'Issue',346,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 OR *\\\\Invoke\\-WmiCommand.ps1 OR *\\\\Get\\-GPPPassword.ps1 OR *\\\\Get\\-Keystrokes.ps1 OR *\\\\Get\\-VaultCredential.ps1 OR *\\\\Invoke\\-CredentialInjection.ps1 OR *\\\\Invoke\\-Mimikatz.ps1 OR *\\\\Invoke\\-NinjaCopy.ps1 OR *\\\\Invoke\\-TokenManipulation.ps1 OR *\\\\Out\\-Minidump.ps1 OR *\\\\VolumeShadowCopyTools.ps1 OR *\\\\Invoke\\-ReflectivePEInjection.ps1 OR *\\\\Get\\-TimedScreenshot.ps1 OR *\\\\Invoke\\-UserHunter.ps1 OR *\\\\Find\\-GPOLocation.ps1 OR *\\\\Invoke\\-ACLScanner.ps1 OR *\\\\Invoke\\-DowngradeAccount.ps1 OR *\\\\Get\\-ServiceUnquoted.ps1 OR *\\\\Get\\-ServiceFilePermission.ps1 OR *\\\\Get\\-ServicePermission.ps1 OR *\\\\Invoke\\-ServiceAbuse.ps1 OR *\\\\Install\\-ServiceBinary.ps1 OR *\\\\Get\\-RegAutoLogon.ps1 OR *\\\\Get\\-VulnAutoRun.ps1 OR *\\\\Get\\-VulnSchTask.ps1 OR *\\\\Get\\-UnattendedInstallFile.ps1 OR *\\\\Get\\-WebConfig.ps1 OR *\\\\Get\\-ApplicationHost.ps1 OR *\\\\Get\\-RegAlwaysInstallElevated.ps1 OR *\\\\Get\\-Unconstrained.ps1 OR *\\\\Add\\-RegBackdoor.ps1 OR *\\\\Add\\-ScrnSaveBackdoor.ps1 OR *\\\\Gupt\\-Backdoor.ps1 OR *\\\\Invoke\\-ADSBackdoor.ps1 OR *\\\\Enabled\\-DuplicateToken.ps1 OR *\\\\Invoke\\-PsUaCme.ps1 OR *\\\\Remove\\-Update.ps1 OR *\\\\Check\\-VM.ps1 OR *\\\\Get\\-LSASecret.ps1 OR *\\\\Get\\-PassHashes.ps1 OR *\\\\Show\\-TargetScreen.ps1 OR *\\\\Port\\-Scan.ps1 OR *\\\\Invoke\\-PoshRatHttp.ps1 OR *\\\\Invoke\\-PowerShellTCP.ps1 OR *\\\\Invoke\\-PowerShellWMI.ps1 OR *\\\\Add\\-Exfiltration.ps1 OR *\\\\Add\\-Persistence.ps1 OR *\\\\Do\\-Exfiltration.ps1 OR *\\\\Start\\-CaptureServer.ps1 OR *\\\\Invoke\\-ShellCode.ps1 OR *\\\\Get\\-ChromeDump.ps1 OR *\\\\Get\\-ClipboardContents.ps1 OR *\\\\Get\\-FoxDump.ps1 OR *\\\\Get\\-IndexedItem.ps1 OR *\\\\Get\\-Screenshot.ps1 OR *\\\\Invoke\\-Inveigh.ps1 OR *\\\\Invoke\\-NetRipper.ps1 OR *\\\\Invoke\\-EgressCheck.ps1 OR *\\\\Invoke\\-PostExfil.ps1 OR *\\\\Invoke\\-PSInject.ps1 OR *\\\\Invoke\\-RunAs.ps1 OR *\\\\MailRaider.ps1 OR *\\\\New\\-HoneyHash.ps1 OR *\\\\Set\\-MacAttribute.ps1 OR *\\\\Invoke\\-DCSync.ps1 OR *\\\\Invoke\\-PowerDump.ps1 OR *\\\\Exploit\\-Jboss.ps1 OR *\\\\Invoke\\-ThunderStruck.ps1 OR *\\\\Invoke\\-VoiceTroll.ps1 OR *\\\\Set\\-Wallpaper.ps1 OR *\\\\Invoke\\-InveighRelay.ps1 OR *\\\\Invoke\\-PsExec.ps1 OR *\\\\Invoke\\-SSHCommand.ps1 OR *\\\\Get\\-SecurityPackages.ps1 OR *\\\\Install\\-SSP.ps1 OR *\\\\Invoke\\-BackdoorLNK.ps1 OR *\\\\PowerBreach.ps1 OR *\\\\Get\\-SiteListPassword.ps1 OR *\\\\Get\\-System.ps1 OR *\\\\Invoke\\-BypassUAC.ps1 OR *\\\\Invoke\\-Tater.ps1 OR *\\\\Invoke\\-WScriptBypassUAC.ps1 OR *\\\\PowerUp.ps1 OR *\\\\PowerView.ps1 OR *\\\\Get\\-RickAstley.ps1 OR *\\\\Find\\-Fruit.ps1 OR *\\\\HTTP\\-Login.ps1 OR *\\\\Find\\-TrustedDocuments.ps1 OR *\\\\Invoke\\-Paranoia.ps1 OR *\\\\Invoke\\-WinEnum.ps1 OR *\\\\Invoke\\-ARPScan.ps1 OR *\\\\Invoke\\-PortScan.ps1 OR *\\\\Invoke\\-ReverseDNSLookup.ps1 OR *\\\\Invoke\\-SMBScanner.ps1 OR *\\\\Invoke\\-Mimikittenz.ps1))\nindex: so-*\nname: Malicious PowerShell Commandlet Names\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6250,'Issue',346,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious PowerShell Commandlet Names\nid: f331aa1f-8c53-4fc3-b083-cc159bc971cb\nstatus: experimental\ndescription: Detects the creation of known powershell scripts for exploitation\nreferences:\n- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml\ntags:\n- attack.execution\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/04/07\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename:\n    - \'*\\Invoke-DllInjection.ps1\'\n    - \'*\\Invoke-WmiCommand.ps1\'\n    - \'*\\Get-GPPPassword.ps1\'\n    - \'*\\Get-Keystrokes.ps1\'\n    - \'*\\Get-VaultCredential.ps1\'\n    - \'*\\Invoke-CredentialInjection.ps1\'\n    - \'*\\Invoke-Mimikatz.ps1\'\n    - \'*\\Invoke-NinjaCopy.ps1\'\n    - \'*\\Invoke-TokenManipulation.ps1\'\n    - \'*\\Out-Minidump.ps1\'\n    - \'*\\VolumeShadowCopyTools.ps1\'\n    - \'*\\Invoke-ReflectivePEInjection.ps1\'\n    - \'*\\Get-TimedScreenshot.ps1\'\n    - \'*\\Invoke-UserHunter.ps1\'\n    - \'*\\Find-GPOLocation.ps1\'\n    - \'*\\Invoke-ACLScanner.ps1\'\n    - \'*\\Invoke-DowngradeAccount.ps1\'\n    - \'*\\Get-ServiceUnquoted.ps1\'\n    - \'*\\Get-ServiceFilePermission.ps1\'\n    - \'*\\Get-ServicePermission.ps1\'\n    - \'*\\Invoke-ServiceAbuse.ps1\'\n    - \'*\\Install-ServiceBinary.ps1\'\n    - \'*\\Get-RegAutoLogon.ps1\'\n    - \'*\\Get-VulnAutoRun.ps1\'\n    - \'*\\Get-VulnSchTask.ps1\'\n    - \'*\\Get-UnattendedInstallFile.ps1\'\n    - \'*\\Get-WebConfig.ps1\'\n    - \'*\\Get-ApplicationHost.ps1\'\n    - \'*\\Get-RegAlwaysInstallElevated.ps1\'\n    - \'*\\Get-Unconstrained.ps1\'\n    - \'*\\Add-RegBackdoor.ps1\'\n    - \'*\\Add-ScrnSaveBackdoor.ps1\'\n    - \'*\\Gupt-Backdoor.ps1\'\n    - \'*\\Invoke-ADSBackdoor.ps1\'\n    - \'*\\Enabled-DuplicateToken.ps1\'\n    - \'*\\Invoke-PsUaCme.ps1\'\n    - \'*\\Remove-Update.ps1\'\n    - \'*\\Check-VM.ps1\'\n    - \'*\\Get-LSASecret.ps1\'\n    - \'*\\Get-PassHashes.ps1\'\n    - \'*\\Show-TargetScreen.ps1\'\n    - \'*\\Port-Scan.ps1\'\n    - \'*\\Invoke-PoshRatHttp.ps1\'\n    - \'*\\Invoke-PowerShellTCP.ps1\'\n    - \'*\\Invoke-PowerShellWMI.ps1\'\n    - \'*\\Add-Exfiltration.ps1\'\n    - \'*\\Add-Persistence.ps1\'\n    - \'*\\Do-Exfiltration.ps1\'\n    - \'*\\Start-CaptureServer.ps1\'\n    - \'*\\Invoke-ShellCode.ps1\'\n    - \'*\\Get-ChromeDump.ps1\'\n    - \'*\\Get-ClipboardContents.ps1\'\n    - \'*\\Get-FoxDump.ps1\'\n    - \'*\\Get-IndexedItem.ps1\'\n    - \'*\\Get-Screenshot.ps1\'\n    - \'*\\Invoke-Inveigh.ps1\'\n    - \'*\\Invoke-NetRipper.ps1\'\n    - \'*\\Invoke-EgressCheck.ps1\'\n    - \'*\\Invoke-PostExfil.ps1\'\n    - \'*\\Invoke-PSInject.ps1\'\n    - \'*\\Invoke-RunAs.ps1\'\n    - \'*\\MailRaider.ps1\'\n    - \'*\\New-HoneyHash.ps1\'\n    - \'*\\Set-MacAttribute.ps1\'\n    - \'*\\Invoke-DCSync.ps1\'\n    - \'*\\Invoke-PowerDump.ps1\'\n    - \'*\\Exploit-Jboss.ps1\'\n    - \'*\\Invoke-ThunderStruck.ps1\'\n    - \'*\\Invoke-VoiceTroll.ps1\'\n    - \'*\\Set-Wallpaper.ps1\'\n    - \'*\\Invoke-InveighRelay.ps1\'\n    - \'*\\Invoke-PsExec.ps1\'\n    - \'*\\Invoke-SSHCommand.ps1\'\n    - \'*\\Get-SecurityPackages.ps1\'\n    - \'*\\Install-SSP.ps1\'\n    - \'*\\Invoke-BackdoorLNK.ps1\'\n    - \'*\\PowerBreach.ps1\'\n    - \'*\\Get-SiteListPassword.ps1\'\n    - \'*\\Get-System.ps1\'\n    - \'*\\Invoke-BypassUAC.ps1\'\n    - \'*\\Invoke-Tater.ps1\'\n    - \'*\\Invoke-WScriptBypassUAC.ps1\'\n    - \'*\\PowerUp.ps1\'\n    - \'*\\PowerView.ps1\'\n    - \'*\\Get-RickAstley.ps1\'\n    - \'*\\Find-Fruit.ps1\'\n    - \'*\\HTTP-Login.ps1\'\n    - \'*\\Find-TrustedDocuments.ps1\'\n    - \'*\\Invoke-Paranoia.ps1\'\n    - \'*\\Invoke-WinEnum.ps1\'\n    - \'*\\Invoke-ARPScan.ps1\'\n    - \'*\\Invoke-PortScan.ps1\'\n    - \'*\\Invoke-ReverseDNSLookup.ps1\'\n    - \'*\\Invoke-SMBScanner.ps1\'\n    - \'*\\Invoke-Mimikittenz.ps1\'\n  condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(6251,'Issue',346,15,'T1086'),(6252,'Issue',347,1,'PowerShell Network Connections'),(6253,'Issue',347,2,'Florian Roth'),(6254,'Issue',347,8,'https://www.youtube.com/watch?v=DLtJTxMWZ2o'),(6255,'Issue',347,10,'low'),(6256,'Issue',347,13,'community'),(6257,'Issue',347,14,'windows'),(6259,'Issue',347,11,'bdecf01db'),(6260,'Issue',347,12,'1f21ec3f-810d-4b0e-8045-322202e22b4b'),(6261,'Issue',347,16,'win-sysmon'),(6262,'Issue',347,17,''),(6263,'Issue',347,7,''),(6264,'Issue',347,3,'Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')'),(6265,'Issue',347,4,''),(6266,'Issue',347,5,'_False Positives_\nAdministrative scripts'),(6267,'Issue',347,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\powershell.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND event_data.DestinationIsIpv6:\"false\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: PowerShell Network Connections\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6268,'Issue',347,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Network Connections\nid: 1f21ec3f-810d-4b0e-8045-322202e22b4b\nstatus: experimental\ndescription: Detects a Powershell process that opens network connections - check for\n  suspicious target ports and target systems - adjust to your environment (e.g. extend\n  filters with company\'s ip range\')\nauthor: Florian Roth\ndate: 2017/03/13\nreferences:\n- https://www.youtube.com/watch?v=DLtJTxMWZ2o\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\powershell.exe\'\n    Initiated: \'true\'\n  filter:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.0.0.1\n    DestinationIsIpv6: \'false\'\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Administrative scripts\nlevel: low\n\n
\n}}'),(6269,'Issue',347,15,'T1086'),(6270,'Issue',348,1,'QuarksPwDump Dump File'),(6271,'Issue',348,2,'Florian Roth'),(6272,'Issue',348,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm'),(6273,'Issue',348,10,'critical'),(6274,'Issue',348,13,'community'),(6275,'Issue',348,14,'windows'),(6277,'Issue',348,11,'3ce09ad54'),(6278,'Issue',348,12,'847def9e-924d-4e90-b7c4-5f581395a2b4'),(6279,'Issue',348,16,'win-sysmon'),(6280,'Issue',348,17,''),(6281,'Issue',348,7,''),(6282,'Issue',348,3,'Detects a dump file written by QuarksPwDump password dumper'),(6283,'Issue',348,4,''),(6284,'Issue',348,5,'_False Positives_\nUnknown'),(6285,'Issue',348,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*)\nindex: so-*\nname: QuarksPwDump Dump File\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6286,'Issue',348,9,'{{collapse(View Sigma)\n
\n\ntitle: QuarksPwDump Dump File\nid: 847def9e-924d-4e90-b7c4-5f581395a2b4\nstatus: experimental\ndescription: Detects a dump file written by QuarksPwDump password dumper\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm\nauthor: Florian Roth\ndate: 2018/02/10\ntags:\n- attack.credential_access\n- attack.t1003\nlevel: critical\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    TargetFilename: \'*\\AppData\\Local\\Temp\\SAM-*.dmp*\'\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(6287,'Issue',348,15,'T1003'),(6288,'Issue',349,1,'Raw Disk Access Using Illegitimate Tools'),(6289,'Issue',349,2,'Teymur Kheirkhabarov, oscd.community'),(6290,'Issue',349,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(6291,'Issue',349,10,'medium'),(6292,'Issue',349,13,'community'),(6293,'Issue',349,14,'windows'),(6295,'Issue',349,11,'979a4709f'),(6296,'Issue',349,12,'db809f10-56ce-4420-8c86-d6a7d793c79c'),(6297,'Issue',349,16,'win-sysmon'),(6298,'Issue',349,17,''),(6299,'Issue',349,7,''),(6300,'Issue',349,3,'Raw disk access using illegitimate tools, possible defence evasion'),(6301,'Issue',349,4,''),(6302,'Issue',349,5,'_False Positives_\nLegitimate Administrator using tool for raw access or ongoing forensic investigation\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nDevice'),(6303,'Issue',349,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"9\" AND (NOT (Device.keyword:*floppy*))) AND (NOT (process.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\sdiagnhost.exe OR *\\\\searchindexer.exe OR *\\\\csrss.exe OR *\\\\defrag.exe OR *\\\\smss.exe OR *\\\\vssvc.exe OR *\\\\compattelrunner.exe OR *\\\\wininit.exe OR *\\\\autochk.exe OR *\\\\taskhost.exe OR *\\\\dfsrs.exe OR *\\\\vds.exe OR *\\\\lsass.exe))))\nindex: so-*\nname: Raw Disk Access Using Illegitimate Tools\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6304,'Issue',349,9,'{{collapse(View Sigma)\n
\n\ntitle: Raw Disk Access Using Illegitimate Tools\nid: db809f10-56ce-4420-8c86-d6a7d793c79c\ndescription: Raw disk access using illegitimate tools, possible defence evasion\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.defense_evasion\n- attack.t1006\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 9\n  filter_1:\n    Device|contains: floppy\n  filter_2:\n  - Image|endswith:\n    - \\wmiprvse.exe\n    - \\sdiagnhost.exe\n    - \\searchindexer.exe\n    - \\csrss.exe\n    - \\defrag.exe\n    - \\smss.exe\n    - \\vssvc.exe\n    - \\compattelrunner.exe\n    - \\wininit.exe\n    - \\autochk.exe\n    - \\taskhost.exe\n    - \\dfsrs.exe\n    - \\vds.exe\n    - \\lsass.exe\n  condition: selection and not filter_1 and not filter_2\nfields:\n- ComputerName\n- Image\n- ProcessID\n- Device\nfalsepositives:\n- Legitimate Administrator using tool for raw access or ongoing forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(6305,'Issue',349,15,'T1006'),(6306,'Issue',350,1,'RDP Registry Modification'),(6307,'Issue',350,2,'Roberto Rodriguez @Cyb3rWard0g'),(6308,'Issue',350,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md'),(6309,'Issue',350,10,'high'),(6310,'Issue',350,13,'community'),(6311,'Issue',350,14,'windows'),(6313,'Issue',350,11,'5a3902041'),(6314,'Issue',350,12,'41904ebe-d56c-4904-b9ad-7a77bdf154b3'),(6315,'Issue',350,16,'win-sysmon'),(6316,'Issue',350,17,''),(6317,'Issue',350,7,''),(6318,'Issue',350,3,'Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.'),(6319,'Issue',350,4,''),(6320,'Issue',350,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nEventType\nTargetObject'),(6321,'Issue',350,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\WinStations\\\\RDP\\-Tcp\\\\UserAuthentication OR *\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections) AND event_data.Details:\"DWORD\\ \\(0x00000000\\)\")\nindex: so-*\nname: RDP Registry Modification\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6322,'Issue',350,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Registry Modification\nid: 41904ebe-d56c-4904-b9ad-7a77bdf154b3\ndescription: Detects potential malicious modification of the property value of fDenyTSConnections\n  and UserAuthentication to enable remote desktop connections.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md\ntags:\n- attack.defense_evasion\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject|endswith:\n    - \\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\n    - \\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections\n    Details: DWORD (0x00000000)\n  condition: selection\nfields:\n- ComputerName\n- Image\n- EventType\n- TargetObject\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6323,'Issue',350,15,'T1112'),(6324,'Issue',351,1,'RDP Over Reverse SSH Tunnel'),(6325,'Issue',351,2,'Samir Bousseaden'),(6326,'Issue',351,8,'https://twitter.com/SBousseaden/status/1096148422984384514'),(6327,'Issue',351,10,'high'),(6328,'Issue',351,13,'community'),(6329,'Issue',351,14,'windows'),(6331,'Issue',351,11,'31989b88d'),(6332,'Issue',351,12,'5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4'),(6333,'Issue',351,16,'win-sysmon'),(6334,'Issue',351,17,''),(6335,'Issue',351,7,''),(6336,'Issue',351,3,'Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389'),(6337,'Issue',351,4,''),(6338,'Issue',351,5,'_False Positives_\nunknown'),(6339,'Issue',351,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:*\\\\svchost.exe AND event_data.Initiated:\"true\" AND SourcePort:\"3389\" AND destination_ip.keyword:(127.* OR \\:\\:1))\nindex: so-*\nname: RDP Over Reverse SSH Tunnel\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6340,'Issue',351,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Over Reverse SSH Tunnel\nid: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4\nstatus: experimental\ndescription: Detects svchost hosting RDP termsvcs communicating with the loopback\n  address and on TCP port 3389\nreferences:\n- https://twitter.com/SBousseaden/status/1096148422984384514\nauthor: Samir Bousseaden\ndate: 2019/02/16\ntags:\n- attack.defense_evasion\n- attack.command_and_control\n- attack.t1076\n- car.2013-07-002\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\svchost.exe\'\n    Initiated: \'true\'\n    SourcePort: 3389\n    DestinationIp:\n    - 127.*\n    - ::1\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6341,'Issue',351,15,'T1076'),(6342,'Issue',352,1,'RDP Sensitive Settings Changed'),(6343,'Issue',352,2,'Samir Bousseaden'),(6344,'Issue',352,8,'https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html'),(6345,'Issue',352,10,'high'),(6346,'Issue',352,13,'community'),(6347,'Issue',352,14,'windows'),(6348,'Issue',352,15,''),(6349,'Issue',352,11,'548ae70d5'),(6350,'Issue',352,12,'171b67e1-74b4-460e-8d55-b331f3e32d67'),(6351,'Issue',352,16,'win-sysmon'),(6352,'Issue',352,17,''),(6353,'Issue',352,7,''),(6354,'Issue',352,3,'Detects changes to RDP terminal service sensitive settings'),(6355,'Issue',352,4,''),(6356,'Issue',352,5,'_False Positives_\nunknown'),(6357,'Issue',352,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll* OR *\\\\Control\\\\Terminal\\ Server\\\\fSingleSessionPerUser* OR *\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections*))\nindex: so-*\nname: RDP Sensitive Settings Changed\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6358,'Issue',352,9,'{{collapse(View Sigma)\n
\n\ntitle: RDP Sensitive Settings Changed\nid: 171b67e1-74b4-460e-8d55-b331f3e32d67\ndescription: Detects changes to RDP terminal service sensitive settings\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html\ndate: 2019/04/03\nauthor: Samir Bousseaden\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_reg:\n    EventID: 13\n    TargetObject:\n    - \'*\\services\\TermService\\Parameters\\ServiceDll*\'\n    - \'*\\Control\\Terminal Server\\fSingleSessionPerUser*\'\n    - \'*\\Control\\Terminal Server\\fDenyTSConnections*\'\n  condition: selection_reg\ntags:\n- attack.defense_evasion\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6359,'Issue',353,1,'Windows Registry Persistence COM Key Linking'),(6360,'Issue',353,2,'Kutepov Anton, oscd.community'),(6361,'Issue',353,8,'https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/'),(6362,'Issue',353,10,'medium'),(6363,'Issue',353,13,'community'),(6364,'Issue',353,14,'windows'),(6366,'Issue',353,11,'6f021fb7c'),(6367,'Issue',353,12,'9b0f8a61-91b2-464f-aceb-0527e0a45020'),(6368,'Issue',353,16,'win-sysmon'),(6369,'Issue',353,17,''),(6370,'Issue',353,7,''),(6371,'Issue',353,3,'Detects COM object hijacking via TreatAs subkey'),(6372,'Issue',353,4,''),(6373,'Issue',353,5,'_False Positives_\nMaybe some system utilities in rare cases use linking keys for backward compability'),(6374,'Issue',353,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\TreatAs)\nindex: so-*\nname: Windows Registry Persistence COM Key Linking\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6375,'Issue',353,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Persistence COM Key Linking\nid: 9b0f8a61-91b2-464f-aceb-0527e0a45020\nstatus: experimental\ndescription: Detects COM object hijacking via TreatAs subkey\nreferences:\n- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/07\ntags:\n- attack.persistence\n- attack.t1122\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 12\n    TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\TreatAs\n  condition: selection\nfalsepositives:\n- Maybe some system utilities in rare cases use linking keys for backward compability\nlevel: medium\n\n
\n}}'),(6376,'Issue',353,15,'T1122'),(6377,'Issue',354,1,'Windows Registry Persistence COM Search Order Hijacking'),(6378,'Issue',354,2,'Maxime Thiebaut (@0xThiebaut)'),(6379,'Issue',354,8,'https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/'),(6380,'Issue',354,10,'medium'),(6381,'Issue',354,13,'community'),(6382,'Issue',354,14,'windows'),(6384,'Issue',354,11,'27898e00b'),(6385,'Issue',354,12,'a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12'),(6386,'Issue',354,16,'win-sysmon'),(6387,'Issue',354,17,''),(6388,'Issue',354,7,''),(6389,'Issue',354,3,'Detects potential COM object hijacking leveraging the COM Search Order'),(6390,'Issue',354,4,''),(6391,'Issue',354,5,'_False Positives_\nSome installed utilities (i.e. OneDrive) may serve new COM objects at user-level'),(6392,'Issue',354,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\InProcServer32\\\\\\(Default\\)) AND (NOT (event_data.Details.keyword:(%%systemroot%%\\\\system32\\\\* OR %%systemroot%%\\\\SysWow64\\\\* OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileCoAuthLib64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileSyncShell64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\*\\\\Microsoft.Teams.AddinLoader.dll))))\nindex: so-*\nname: Windows Registry Persistence COM Search Order Hijacking\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6393,'Issue',354,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Persistence COM Search Order Hijacking\nid: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\nstatus: experimental\ndescription: Detects potential COM object hijacking leveraging the COM Search Order\nreferences:\n- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/04/14\ntags:\n- attack.persistence\n- attack.t1038\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\InProcServer32\\(Default)\n  filter:\n    Details:\n    - \'%%systemroot%%\\system32\\\\*\'\n    - \'%%systemroot%%\\SysWow64\\\\*\'\n    - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileCoAuthLib64.dll\'\n    - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileSyncShell64.dll\'\n    - \'*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\\\*\\Microsoft.Teams.AddinLoader.dll\'\n  condition: selection and not filter\nfalsepositives:\n- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level\nlevel: medium\n\n
\n}}'),(6394,'Issue',354,15,'T1038'),(6395,'Issue',355,1,'Windows Registry Trust Record Modification'),(6396,'Issue',355,2,'Antonlovesdnb'),(6397,'Issue',355,8,'https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\nhttp://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html'),(6398,'Issue',355,10,'medium'),(6399,'Issue',355,13,'community'),(6400,'Issue',355,14,'windows'),(6402,'Issue',355,11,'ab08d709e'),(6403,'Issue',355,12,'295a59c1-7b79-4b47-a930-df12c15fc9c2'),(6404,'Issue',355,16,'win-sysmon'),(6405,'Issue',355,17,''),(6406,'Issue',355,7,''),(6407,'Issue',355,3,'Alerts on trust record modification within the registry, indicating usage of macros'),(6408,'Issue',355,4,''),(6409,'Issue',355,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6410,'Issue',355,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:*TrustRecords*)\nindex: so-*\nname: Windows Registry Trust Record Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6411,'Issue',355,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Registry Trust Record Modification\nid: 295a59c1-7b79-4b47-a930-df12c15fc9c2\nstatus: experimental\ndescription: Alerts on trust record modification within the registry, indicating usage\n  of macros\nreferences:\n- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\n- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html\nauthor: Antonlovesdnb\ndate: 2020/02/19\nmodified: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 12\n    TargetObject|contains: TrustRecords\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: medium\n\n
\n}}'),(6412,'Issue',355,15,'T1193'),(6413,'Issue',356,1,'Regsvr32 Network Activity'),(6414,'Issue',356,2,'Dmitriy Lifanov, oscd.community'),(6415,'Issue',356,8,'https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md'),(6416,'Issue',356,10,'high'),(6417,'Issue',356,13,'community'),(6418,'Issue',356,14,'windows'),(6420,'Issue',356,11,'2dae90c53'),(6421,'Issue',356,12,'c7e91a02-d771-4a6d-a700-42587e0b1095'),(6422,'Issue',356,16,'win-sysmon'),(6423,'Issue',356,17,''),(6424,'Issue',356,7,''),(6425,'Issue',356,3,'Detects network connections and DNS queries initiated by Regsvr32.exe'),(6426,'Issue',356,4,''),(6427,'Issue',356,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nDestinationIp\nDestinationPort'),(6428,'Issue',356,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"3\" OR \"22\") AND process.executable.keyword:*\\\\regsvr32.exe)\nindex: so-*\nname: Regsvr32 Network Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6429,'Issue',356,9,'{{collapse(View Sigma)\n
\n\ntitle: Regsvr32 Network Activity\nid: c7e91a02-d771-4a6d-a700-42587e0b1095\ndescription: Detects network connections and DNS queries initiated by Regsvr32.exe\nreferences:\n- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\n- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1117\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID:\n    - 3\n    - 22\n    Image|endswith: \\regsvr32.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- Image\n- DestinationIp\n- DestinationPort\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6430,'Issue',356,15,'T1117'),(6431,'Issue',357,1,'Remote PowerShell Session'),(6432,'Issue',357,2,'Roberto Rodriguez @Cyb3rWard0g'),(6433,'Issue',357,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(6434,'Issue',357,10,'high'),(6435,'Issue',357,13,'community'),(6436,'Issue',357,14,'windows'),(6438,'Issue',357,11,'1a8504907'),(6439,'Issue',357,12,'c539afac-c12a-46ed-b1bd-5a5567c9f045'),(6440,'Issue',357,16,'win-sysmon'),(6441,'Issue',357,17,''),(6442,'Issue',357,7,''),(6443,'Issue',357,3,'Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account'),(6444,'Issue',357,4,''),(6445,'Issue',357,5,'_False Positives_\nLeigitmate usage of remote PowerShell, e.g. remote administration and monitoring.'),(6446,'Issue',357,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:(\"5985\" OR \"5986\")) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\")))\nindex: so-*\nname: Remote PowerShell Session\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6447,'Issue',357,9,'{{collapse(View Sigma)\n
\n\ntitle: Remote PowerShell Session\nid: c539afac-c12a-46ed-b1bd-5a5567c9f045\ndescription: Detects remote PowerShell connections by monitoring network outbount\n  connections to ports 5985 or 5986 from not network service account\nstatus: experimental\ndate: 2019/09/12\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort:\n    - 5985\n    - 5986\n  filter:\n    User: NT AUTHORITY\\NETWORK SERVICE\n  condition: selection and not filter\nfalsepositives:\n- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.\nlevel: high\n\n
\n}}'),(6448,'Issue',357,15,'T1086'),(6449,'Issue',358,1,'Renamed jusched.exe'),(6450,'Issue',358,2,'Markus Neis, Swisscom'),(6451,'Issue',358,8,'https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf'),(6452,'Issue',358,10,'high'),(6453,'Issue',358,13,'community'),(6454,'Issue',358,14,'windows'),(6456,'Issue',358,11,'3042f2e24'),(6457,'Issue',358,12,'edd8a48c-1b9f-4ba1-83aa-490338cd1ccb'),(6458,'Issue',358,16,'win-sysmon'),(6459,'Issue',358,17,''),(6460,'Issue',358,7,''),(6461,'Issue',358,3,'Detects renamed jusched.exe used by cobalt group'),(6462,'Issue',358,4,''),(6463,'Issue',358,5,'_False Positives_\npenetration tests, red teaming'),(6464,'Issue',358,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.pe.description:\"Java\\ Update\\ Scheduler\" OR process.pe.description:\"Java\\(TM\\)\\ Update\\ Scheduler\")) AND (NOT (process.executable.keyword:(*\\\\jusched.exe))))\nindex: so-*\nname: Renamed jusched.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6465,'Issue',358,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed jusched.exe\nstatus: experimental\nid: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb\ndescription: Detects renamed jusched.exe used by cobalt group\nreferences:\n- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf\ntags:\n- attack.t1036\n- attack.execution\nauthor: Markus Neis, Swisscom\ndate: 2019/06/04\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Description: Java Update Scheduler\n  selection2:\n    Description: Java(TM) Update Scheduler\n  filter:\n    Image|endswith:\n    - \\jusched.exe\n  condition: (selection1 or selection2) and not filter\nfalsepositives:\n- penetration tests, red teaming\nlevel: high\n\n
\n}}'),(6466,'Issue',358,15,'T1036'),(6467,'Issue',359,1,'Renamed PowerShell'),(6468,'Issue',359,2,'Florian Roth'),(6469,'Issue',359,8,'https://twitter.com/christophetd/status/1164506034720952320'),(6470,'Issue',359,10,'critical'),(6471,'Issue',359,13,'community'),(6472,'Issue',359,14,'windows'),(6473,'Issue',359,15,''),(6474,'Issue',359,11,'a6d71f3ed'),(6475,'Issue',359,12,'d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20'),(6476,'Issue',359,16,'win-sysmon'),(6477,'Issue',359,17,''),(6478,'Issue',359,7,''),(6479,'Issue',359,3,'Detects the execution of a renamed PowerShell often used by attackers or malware'),(6480,'Issue',359,4,''),(6481,'Issue',359,5,'_False Positives_\nUnknown'),(6482,'Issue',359,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Windows\\ PowerShell\" AND event_data.Company:\"Microsoft\\ Corporation\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))\nindex: so-*\nname: Renamed PowerShell\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6483,'Issue',359,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed PowerShell\nid: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20\nstatus: experimental\ndescription: Detects the execution of a renamed PowerShell often used by attackers\n  or malware\nreferences:\n- https://twitter.com/christophetd/status/1164506034720952320\nauthor: Florian Roth\ndate: 2019/08/22\ntags:\n- car.2013-05-009\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    Description: Windows PowerShell\n    Company: Microsoft Corporation\n  filter:\n    Image:\n    - \'*\\powershell.exe\'\n    - \'*\\powershell_ise.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(6484,'Issue',360,1,'Renamed ProcDump'),(6485,'Issue',360,2,'Florian Roth'),(6486,'Issue',360,8,'https://docs.microsoft.com/en-us/sysinternals/downloads/procdump'),(6487,'Issue',360,10,'critical'),(6488,'Issue',360,13,'community'),(6489,'Issue',360,14,'windows'),(6491,'Issue',360,11,'abbcffccf'),(6492,'Issue',360,12,'4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67'),(6493,'Issue',360,16,'win-sysmon'),(6494,'Issue',360,17,''),(6495,'Issue',360,7,''),(6496,'Issue',360,3,'Detects the execution of a renamed ProcDump executable often used by attackers or malware'),(6497,'Issue',360,4,''),(6498,'Issue',360,5,'_False Positives_\nProcdump illegaly bundled with legitimate software\nWeird admins who renamed binaries'),(6499,'Issue',360,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:\"procdump\" AND (NOT (process.executable.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))\nindex: so-*\nname: Renamed ProcDump\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6500,'Issue',360,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed ProcDump\nid: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67\nstatus: experimental\ndescription: Detects the execution of a renamed ProcDump executable often used by\n  attackers or malware\nreferences:\n- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump\nauthor: Florian Roth\ndate: 2019/11/18\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    OriginalFileName: procdump\n  filter:\n    Image:\n    - \'*\\procdump.exe\'\n    - \'*\\procdump64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Procdump illegaly bundled with legitimate software\n- Weird admins who renamed binaries\nlevel: critical\n\n
\n}}'),(6501,'Issue',360,15,'T1036'),(6502,'Issue',361,1,'Renamed PsExec'),(6503,'Issue',361,2,'Florian Roth'),(6504,'Issue',361,8,'https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks'),(6505,'Issue',361,10,'high'),(6506,'Issue',361,13,'community'),(6507,'Issue',361,14,'windows'),(6508,'Issue',361,15,''),(6509,'Issue',361,11,'297d076c3'),(6510,'Issue',361,12,'a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2'),(6511,'Issue',361,16,'win-sysmon'),(6512,'Issue',361,17,''),(6513,'Issue',361,7,''),(6514,'Issue',361,3,'Detects the execution of a renamed PsExec often used by attackers or malware'),(6515,'Issue',361,4,''),(6516,'Issue',361,5,'_False Positives_\nSoftware that illegaly integrates PsExec in a renamed form\nAdministrators that have renamed PsExec and no one knows why'),(6517,'Issue',361,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Execute\\ processes\\ remotely\" AND process.pe.product:\"Sysinternals\\ PsExec\") AND (NOT (process.executable.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))\nindex: so-*\nname: Renamed PsExec\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6518,'Issue',361,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed PsExec\nid: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2\nstatus: experimental\ndescription: Detects the execution of a renamed PsExec often used by attackers or\n  malware\nreferences:\n- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\nauthor: Florian Roth\ndate: 2019/05/21\ntags:\n- car.2013-05-009\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    Description: Execute processes remotely\n    Product: Sysinternals PsExec\n  filter:\n    Image:\n    - \'*\\PsExec.exe\'\n    - \'*\\PsExec64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Software that illegaly integrates PsExec in a renamed form\n- Administrators that have renamed PsExec and no one knows why\nlevel: high\n\n
\n}}'),(6519,'Issue',362,1,'Rundll32 Internet Connection'),(6520,'Issue',362,2,'Florian Roth'),(6521,'Issue',362,8,'https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100'),(6522,'Issue',362,10,'medium'),(6523,'Issue',362,13,'community'),(6524,'Issue',362,14,'windows'),(6526,'Issue',362,11,'0381dead4'),(6527,'Issue',362,12,'cdc8da7d-c303-42f8-b08c-b4ab47230263'),(6528,'Issue',362,16,'win-sysmon'),(6529,'Issue',362,17,''),(6530,'Issue',362,7,''),(6531,'Issue',362,3,'Detects a rundll32 that communicates with public IP addresses'),(6532,'Issue',362,4,''),(6533,'Issue',362,5,'_False Positives_\nCommunication to other corporate systems that use IP addresses from public address spaces'),(6534,'Issue',362,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\rundll32.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))\nindex: so-*\nname: Rundll32 Internet Connection\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6535,'Issue',362,9,'{{collapse(View Sigma)\n
\n\ntitle: Rundll32 Internet Connection\nid: cdc8da7d-c303-42f8-b08c-b4ab47230263\nstatus: experimental\ndescription: Detects a rundll32 that communicates with public IP addresses\nreferences:\n- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100\nauthor: Florian Roth\ndate: 2017/11/04\ntags:\n- attack.t1085\n- attack.defense_evasion\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Image: \'*\\rundll32.exe\'\n    Initiated: \'true\'\n  filter:\n    DestinationIp:\n    - 10.*\n    - 192.168.*\n    - 172.16.*\n    - 172.17.*\n    - 172.18.*\n    - 172.19.*\n    - 172.20.*\n    - 172.21.*\n    - 172.22.*\n    - 172.23.*\n    - 172.24.*\n    - 172.25.*\n    - 172.26.*\n    - 172.27.*\n    - 172.28.*\n    - 172.29.*\n    - 172.30.*\n    - 172.31.*\n    - 127.*\n  condition: selection and not filter\nfalsepositives:\n- Communication to other corporate systems that use IP addresses from public address\n  spaces\nlevel: medium\n\n
\n}}'),(6536,'Issue',362,15,'T1085'),(6537,'Issue',363,1,'Security Support Provider (SSP) Added to LSA Configuration'),(6538,'Issue',363,2,'iwillkeepwatch'),(6539,'Issue',363,8,'https://attack.mitre.org/techniques/T1101/\nhttps://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/'),(6540,'Issue',363,10,'critical'),(6541,'Issue',363,13,'community'),(6542,'Issue',363,14,'windows'),(6544,'Issue',363,11,'9bc1e9894'),(6545,'Issue',363,12,'eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc'),(6546,'Issue',363,16,'win-sysmon'),(6547,'Issue',363,17,''),(6548,'Issue',363,7,''),(6549,'Issue',363,3,'Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.'),(6550,'Issue',363,4,''),(6551,'Issue',363,5,'_False Positives_\nUnlikely'),(6552,'Issue',363,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security\\ Packages\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security\\ Packages\")) AND (NOT (process.executable:\"C\\:\\\\Windows\\\\system32\\\\msiexec.exe\" OR process.executable:\"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe\")))\nindex: so-*\nname: Security Support Provider (SSP) Added to LSA Configuration\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6553,'Issue',363,9,'{{collapse(View Sigma)\n
\n\ntitle: Security Support Provider (SSP) Added to LSA Configuration\nid: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc\nstatus: experimental\ndescription: Detects the addition of a SSP to the registry. Upon a reboot or API call,\n  SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\nreferences:\n- https://attack.mitre.org/techniques/T1101/\n- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/\ntags:\n- attack.persistence\n- attack.t1011\nauthor: iwillkeepwatch\ndate: 2019/01/18\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_registry:\n    EventID: 13\n    TargetObject:\n    - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages\n    - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages\n  exclusion_images:\n  - Image: C:\\Windows\\system32\\msiexec.exe\n  - Image: C:\\Windows\\syswow64\\MsiExec.exe\n  condition: selection_registry and not exclusion_images\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(6554,'Issue',363,15,'T1011'),(6555,'Issue',364,1,'Suspicious ADSI-Cache Usage By Unknown Tool'),(6556,'Issue',364,2,'xknow @xknow_infosec'),(6557,'Issue',364,8,'https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\nhttps://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\nhttps://github.com/fox-it/LDAPFragger'),(6558,'Issue',364,10,'high'),(6559,'Issue',364,13,'community'),(6560,'Issue',364,14,'windows'),(6562,'Issue',364,11,'8268e4aa6'),(6563,'Issue',364,12,'75bf09fa-1dd7-4d18-9af9-dd9e492562eb'),(6564,'Issue',364,16,'win-sysmon'),(6565,'Issue',364,17,''),(6566,'Issue',364,7,''),(6567,'Issue',364,3,'detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.'),(6568,'Issue',364,4,''),(6569,'Issue',364,5,'_False Positives_\nOther legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.'),(6570,'Issue',364,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch) AND (NOT (process.executable.keyword:(*C\\:\\\\windows\\\\system32\\\\svchost.exe* OR *C\\:\\\\windows\\\\system32\\\\dllhost.exe* OR *C\\:\\\\windows\\\\system32\\\\mmc.exe* OR *C\\:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*))))\nindex: so-*\nname: Suspicious ADSI-Cache Usage By Unknown Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6571,'Issue',364,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious ADSI-Cache Usage By Unknown Tool\nid: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb\ndescription: detects the usage of ADSI (LDAP) operations by tools. This may also detect\n  tools like LDAPFragger.\nstatus: experimental\ndate: 2019/03/24\nauthor: xknow @xknow_infosec\nreferences:\n- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\n- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\n- https://github.com/fox-it/LDAPFragger\ntags:\n- attack.t1041\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n    TargetFilename: \'*\\Local\\Microsoft\\Windows\\SchCache\\*.sch\'\n  selection_2:\n    Image|contains:\n    - C:\\windows\\system32\\svchost.exe\n    - C:\\windows\\system32\\dllhost.exe\n    - C:\\windows\\system32\\mmc.exe\n    - C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n  condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity\n  by MMC, Powershell, Windows etc.\nlevel: high\n\n
\n}}'),(6572,'Issue',364,15,'T1041'),(6573,'Issue',365,1,'Suspicious desktop.ini Action'),(6574,'Issue',365,2,'Maxime Thiebaut (@0xThiebaut)'),(6575,'Issue',365,8,'https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/'),(6576,'Issue',365,10,'medium'),(6577,'Issue',365,13,'community'),(6578,'Issue',365,14,'windows'),(6580,'Issue',365,11,'370bd2225'),(6581,'Issue',365,12,'81315b50-6b60-4d8f-9928-3466e1022515'),(6582,'Issue',365,16,'win-sysmon'),(6583,'Issue',365,17,''),(6584,'Issue',365,7,''),(6585,'Issue',365,3,'Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder\'s content (i.e. renaming files) without changing them on disk.'),(6586,'Issue',365,4,''),(6587,'Issue',365,5,'_False Positives_\nOperations performed through Windows SCCM or equivalent'),(6588,'Issue',365,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\desktop.ini) AND (NOT (process.executable:(\"C\\:\\\\Windows\\\\explorer.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\msiexec.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\mmc.exe\"))))\nindex: so-*\nname: Suspicious desktop.ini Action\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6589,'Issue',365,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious desktop.ini Action\nid: 81315b50-6b60-4d8f-9928-3466e1022515\nstatus: experimental\ndescription: Detects unusual processes accessing desktop.ini, which can be leveraged\n  to alter how Explorer displays a folder\'s content (i.e. renaming files) without\n  changing them on disk.\nreferences:\n- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/03/19\ntags:\n- attack.persistence\n- attack.t1023\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  filter:\n    Image:\n    - C:\\Windows\\explorer.exe\n    - C:\\Windows\\System32\\msiexec.exe\n    - C:\\Windows\\System32\\mmc.exe\n  selection:\n    EventID: 11\n    TargetFilename|endswith: \\desktop.ini\n  condition: selection and not filter\nfalsepositives:\n- Operations performed through Windows SCCM or equivalent\nlevel: medium\n\n
\n}}'),(6590,'Issue',365,15,'T1023'),(6591,'Issue',366,1,'Suspicious RUN Key from Download'),(6592,'Issue',366,2,'Florian Roth'),(6593,'Issue',366,8,'https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/'),(6594,'Issue',366,10,'high'),(6595,'Issue',366,13,'community'),(6596,'Issue',366,14,'windows'),(6598,'Issue',366,11,'4a98c6777'),(6599,'Issue',366,12,'9c5037d1-c568-49b3-88c7-9846a5bdc2be'),(6600,'Issue',366,16,'win-sysmon'),(6601,'Issue',366,17,''),(6602,'Issue',366,7,''),(6603,'Issue',366,3,'Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories'),(6604,'Issue',366,4,''),(6605,'Issue',366,5,'_False Positives_\nSoftware installers downloaded and used by users'),(6606,'Issue',366,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND process.executable.keyword:(*\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*) AND event_data.TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)\nindex: so-*\nname: Suspicious RUN Key from Download\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6607,'Issue',366,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RUN Key from Download\nid: 9c5037d1-c568-49b3-88c7-9846a5bdc2be\nstatus: experimental\ndescription: Detects the suspicious RUN keys created by software located in Download\n  or temporary Outlook/Internet Explorer directories\nreferences:\n- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.persistence\n- attack.t1060\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    Image:\n    - \'*\\Downloads\\\\*\'\n    - \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n    - \'*\\Local Settings\\Temporary Internet Files\\\\*\'\n    TargetObject: \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n  condition: selection\nfalsepositives:\n- Software installers downloaded and used by users\nlevel: high\n\n
\n}}'),(6608,'Issue',366,15,'T1060'),(6609,'Issue',367,1,'Suspicious Driver Load from Temp'),(6610,'Issue',367,2,'Florian Roth'),(6611,'Issue',367,8,'none'),(6612,'Issue',367,10,'medium'),(6613,'Issue',367,13,'community'),(6614,'Issue',367,14,'windows'),(6616,'Issue',367,11,'d9e3b1335'),(6617,'Issue',367,12,'2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75'),(6618,'Issue',367,16,'win-sysmon'),(6619,'Issue',367,17,''),(6620,'Issue',367,7,''),(6621,'Issue',367,3,'Detects a driver load from a temporary directory'),(6622,'Issue',367,4,''),(6623,'Issue',367,5,'_False Positives_\nthere is a relevant set of false positives depending on applications in the environment'),(6624,'Issue',367,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"6\" AND event_data.ImageLoaded.keyword:*\\\\Temp\\\\*)\nindex: so-*\nname: Suspicious Driver Load from Temp\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6625,'Issue',367,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Driver Load from Temp\nid: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75\ndescription: Detects a driver load from a temporary directory\nauthor: Florian Roth\ndate: 2017/02/12\ntags:\n- attack.persistence\n- attack.t1050\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 6\n    ImageLoaded: \'*\\Temp\\\\*\'\n  condition: selection\nfalsepositives:\n- there is a relevant set of false positives depending on applications in the environment\nlevel: medium\n\n
\n}}'),(6626,'Issue',367,15,'T1050'),(6627,'Issue',368,1,'Suspicious File Characteristics Due to Missing Fields'),(6628,'Issue',368,2,'Markus Neis'),(6629,'Issue',368,8,'https://securelist.com/muddywater/88059/\nhttps://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection'),(6630,'Issue',368,10,'medium'),(6631,'Issue',368,13,'community'),(6632,'Issue',368,14,'windows'),(6634,'Issue',368,11,'c82bedced'),(6635,'Issue',368,12,'9637e8a5-7131-4f7f-bdc7-2b05d8670c43'),(6636,'Issue',368,16,'win-sysmon'),(6637,'Issue',368,17,''),(6638,'Issue',368,7,''),(6639,'Issue',368,3,'Detects Executables without FileVersion,Description,Product,Company likely created with py2exe'),(6640,'Issue',368,4,''),(6641,'Issue',368,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(6642,'Issue',368,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.description:\"\\?\" AND (event_data.FileVersion:\"\\?\" OR process.pe.product:\"\\?\" OR event_data.Company:\"\\?\"))\nindex: so-*\nname: Suspicious File Characteristics Due to Missing Fields\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6643,'Issue',368,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious File Characteristics Due to Missing Fields\nid: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43\ndescription: Detects Executables without FileVersion,Description,Product,Company likely\n  created with py2exe\nstatus: experimental\nreferences:\n- https://securelist.com/muddywater/88059/\n- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection\nauthor: Markus Neis\ndate: 2018/11/22\nmodified: 2019/11/09\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection1:\n    Description: \\?\n    FileVersion: \\?\n  selection2:\n    Description: \\?\n    Product: \\?\n  selection3:\n    Description: \\?\n    Company: \\?\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6644,'Issue',368,15,'T1064'),(6645,'Issue',369,1,'Possible Process Hollowing Image Loading'),(6646,'Issue',369,2,'Markus Neis'),(6647,'Issue',369,8,'https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html'),(6648,'Issue',369,10,'high'),(6649,'Issue',369,13,'community'),(6650,'Issue',369,14,'windows'),(6652,'Issue',369,11,'5e6ed7268'),(6653,'Issue',369,12,'e32ce4f5-46c6-4c47-ba69-5de3c9193cd7'),(6654,'Issue',369,16,'win-sysmon'),(6655,'Issue',369,17,''),(6656,'Issue',369,7,''),(6657,'Issue',369,3,'Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz'),(6658,'Issue',369,4,''),(6659,'Issue',369,5,'_False Positives_\nVery likely, needs more tuning'),(6660,'Issue',369,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\notepad.exe) AND event_data.ImageLoaded.keyword:(*\\\\samlib.dll OR *\\\\WinSCard.dll))\nindex: so-*\nname: Possible Process Hollowing Image Loading\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6661,'Issue',369,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Process Hollowing Image Loading\nid: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7\nstatus: experimental\ndescription: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.\n  through process hollowing by Mimikatz\nreferences:\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\nauthor: Markus Neis\ndate: 2018/01/07\ntags:\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\notepad.exe\'\n    ImageLoaded:\n    - \'*\\samlib.dll\'\n    - \'*\\WinSCard.dll\'\n  condition: selection\nfalsepositives:\n- Very likely, needs more tuning\nlevel: high\n\n
\n}}'),(6662,'Issue',369,15,'T1073'),(6663,'Issue',370,1,'DLL Load via LSASS'),(6664,'Issue',370,2,'Florian Roth'),(6665,'Issue',370,8,'https://blog.xpnsec.com/exploring-mimikatz-part-1/\nhttps://twitter.com/SBousseaden/status/1183745981189427200'),(6666,'Issue',370,10,'high'),(6667,'Issue',370,13,'community'),(6668,'Issue',370,14,'windows'),(6670,'Issue',370,11,'351d4d774'),(6671,'Issue',370,12,'b3503044-60ce-4bf4-bbcb-e3db98788823'),(6672,'Issue',370,16,'win-sysmon'),(6673,'Issue',370,17,''),(6674,'Issue',370,7,''),(6675,'Issue',370,3,'Detects a method to load DLL via LSASS process using an undocumented Registry key'),(6676,'Issue',370,4,''),(6677,'Issue',370,5,'_False Positives_\nUnknown'),(6678,'Issue',370,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* OR *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))\nindex: so-*\nname: DLL Load via LSASS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6679,'Issue',370,9,'{{collapse(View Sigma)\n
\n\ntitle: DLL Load via LSASS\nid: b3503044-60ce-4bf4-bbcb-e3db98788823\nstatus: experimental\ndescription: Detects a method to load DLL via LSASS process using an undocumented\n  Registry key\nauthor: Florian Roth\ndate: 2019/10/16\nreferences:\n- https://blog.xpnsec.com/exploring-mimikatz-part-1/\n- https://twitter.com/SBousseaden/status/1183745981189427200\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID:\n    - 12\n    - 13\n    TargetObject:\n    - \'*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*\'\n    - \'*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*\'\n  condition: selection\ntags:\n- attack.execution\n- attack.t1177\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6680,'Issue',370,15,'T1177'),(6681,'Issue',371,1,'dotNET DLL Loaded Via Office Applications'),(6682,'Issue',371,2,'Antonlovesdnb'),(6683,'Issue',371,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6684,'Issue',371,10,'high'),(6685,'Issue',371,13,'community'),(6686,'Issue',371,14,'windows'),(6688,'Issue',371,11,'0080b54ee'),(6689,'Issue',371,12,'ff0f2b05-09db-4095-b96d-1b75ca24894a'),(6690,'Issue',371,16,'win-sysmon'),(6691,'Issue',371,17,''),(6692,'Issue',371,7,''),(6693,'Issue',371,3,'Detects any assembly DLL being loaded by an Office Product'),(6694,'Issue',371,4,''),(6695,'Issue',371,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6696,'Issue',371,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\assembly\\*))\nindex: so-*\nname: dotNET DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6697,'Issue',371,9,'{{collapse(View Sigma)\n
\n\ntitle: dotNET DLL Loaded Via Office Applications\nid: ff0f2b05-09db-4095-b96d-1b75ca24894a\nstatus: experimental\ndescription: Detects any assembly DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*C:\\Windows\\assembly\\*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6698,'Issue',371,15,'T1193'),(6699,'Issue',372,1,'CLR DLL Loaded Via Office Applications'),(6700,'Issue',372,2,'Antonlovesdnb'),(6701,'Issue',372,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6702,'Issue',372,10,'high'),(6703,'Issue',372,13,'community'),(6704,'Issue',372,14,'windows'),(6706,'Issue',372,11,'7105151cd'),(6707,'Issue',372,12,'d13c43f0-f66b-4279-8b2c-5912077c1780'),(6708,'Issue',372,16,'win-sysmon'),(6709,'Issue',372,17,''),(6710,'Issue',372,7,''),(6711,'Issue',372,3,'Detects CLR DLL being loaded by an Office Product'),(6712,'Issue',372,4,''),(6713,'Issue',372,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6714,'Issue',372,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\clr.dll*))\nindex: so-*\nname: CLR DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6715,'Issue',372,9,'{{collapse(View Sigma)\n
\n\ntitle: CLR DLL Loaded Via Office Applications\nid: d13c43f0-f66b-4279-8b2c-5912077c1780\nstatus: experimental\ndescription: Detects CLR DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\clr.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6716,'Issue',372,15,'T1193'),(6717,'Issue',373,1,'GAC DLL Loaded Via Office Applications'),(6718,'Issue',373,2,'Antonlovesdnb'),(6719,'Issue',373,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6720,'Issue',373,10,'high'),(6721,'Issue',373,13,'community'),(6722,'Issue',373,14,'windows'),(6724,'Issue',373,11,'e450b3ce2'),(6725,'Issue',373,12,'90217a70-13fc-48e4-b3db-0d836c5824ac'),(6726,'Issue',373,16,'win-sysmon'),(6727,'Issue',373,17,''),(6728,'Issue',373,7,''),(6729,'Issue',373,3,'Detects any GAC DLL being loaded by an Office Product'),(6730,'Issue',373,4,''),(6731,'Issue',373,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6732,'Issue',373,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC_MSIL*))\nindex: so-*\nname: GAC DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6733,'Issue',373,9,'{{collapse(View Sigma)\n
\n\ntitle: GAC DLL Loaded Via Office Applications\nid: 90217a70-13fc-48e4-b3db-0d836c5824ac\nstatus: experimental\ndescription: Detects any GAC DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6734,'Issue',373,15,'T1193'),(6735,'Issue',374,1,'Active Directory Parsing DLL Loaded Via Office Applications'),(6736,'Issue',374,2,'Antonlovesdnb'),(6737,'Issue',374,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6738,'Issue',374,10,'high'),(6739,'Issue',374,13,'community'),(6740,'Issue',374,14,'windows'),(6742,'Issue',374,11,'203be1d6b'),(6743,'Issue',374,12,'a2a3b925-7bb0-433b-b508-db9003263cc4'),(6744,'Issue',374,16,'win-sysmon'),(6745,'Issue',374,17,''),(6746,'Issue',374,7,''),(6747,'Issue',374,3,'Detects DSParse DLL being loaded by an Office Product'),(6748,'Issue',374,4,''),(6749,'Issue',374,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6750,'Issue',374,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\dsparse.dll*))\nindex: so-*\nname: Active Directory Parsing DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6751,'Issue',374,9,'{{collapse(View Sigma)\n
\n\ntitle: Active Directory Parsing DLL Loaded Via Office Applications\nid: a2a3b925-7bb0-433b-b508-db9003263cc4\nstatus: experimental\ndescription: Detects DSParse DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\dsparse.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6752,'Issue',374,15,'T1193'),(6753,'Issue',375,1,'Active Directory Kerberos DLL Loaded Via Office Applications'),(6754,'Issue',375,2,'Antonlovesdnb'),(6755,'Issue',375,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6756,'Issue',375,10,'high'),(6757,'Issue',375,13,'community'),(6758,'Issue',375,14,'windows'),(6760,'Issue',375,11,'3ce399676'),(6761,'Issue',375,12,'7417e29e-c2e7-4cf6-a2e8-767228c64837'),(6762,'Issue',375,16,'win-sysmon'),(6763,'Issue',375,17,''),(6764,'Issue',375,7,''),(6765,'Issue',375,3,'Detects Kerberos DLL being loaded by an Office Product'),(6766,'Issue',375,4,''),(6767,'Issue',375,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6768,'Issue',375,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\kerberos.dll*))\nindex: so-*\nname: Active Directory Kerberos DLL Loaded Via Office Applications\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6769,'Issue',375,9,'{{collapse(View Sigma)\n
\n\ntitle: Active Directory Kerberos DLL Loaded Via Office Applications\nid: 7417e29e-c2e7-4cf6-a2e8-767228c64837\nstatus: experimental\ndescription: Detects Kerberos DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*\\kerberos.dll*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6770,'Issue',375,15,'T1193'),(6771,'Issue',376,1,'PowerShell Rundll32 Remote Thread Creation'),(6772,'Issue',376,2,'Florian Roth'),(6773,'Issue',376,8,'https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html'),(6774,'Issue',376,10,'high'),(6775,'Issue',376,13,'community'),(6776,'Issue',376,14,'windows'),(6778,'Issue',376,11,'037897459'),(6779,'Issue',376,12,'99b97608-3e21-4bfe-8217-2a127c396a0e'),(6780,'Issue',376,16,'win-sysmon'),(6781,'Issue',376,17,''),(6782,'Issue',376,7,''),(6783,'Issue',376,3,'Detects PowerShell remote thread creation in Rundll32.exe'),(6784,'Issue',376,4,''),(6785,'Issue',376,5,'_False Positives_\nUnkown'),(6786,'Issue',376,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:*\\\\powershell.exe AND event_data.TargetImage.keyword:*\\\\rundll32.exe)\nindex: so-*\nname: PowerShell Rundll32 Remote Thread Creation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6787,'Issue',376,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Rundll32 Remote Thread Creation\nid: 99b97608-3e21-4bfe-8217-2a127c396a0e\nstatus: experimental\ndescription: Detects PowerShell remote thread creation in Rundll32.exe\nauthor: Florian Roth\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html\ndate: 2018/06/25\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 8\n    SourceImage: \'*\\powershell.exe\'\n    TargetImage: \'*\\rundll32.exe\'\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\n- attack.t1086\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(6788,'Issue',376,15,'T1085'),(6789,'Issue',376,15,'T1086'),(6790,'Issue',377,1,'Suspicious PROCEXP152.sys File Created In TMP'),(6791,'Issue',377,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6792,'Issue',377,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6793,'Issue',377,10,'medium'),(6794,'Issue',377,13,'community'),(6795,'Issue',377,14,'windows'),(6797,'Issue',377,11,'9af1e153b'),(6798,'Issue',377,12,'3da70954-0f2c-4103-adff-b7440368f50e'),(6799,'Issue',377,16,'win-sysmon'),(6800,'Issue',377,17,''),(6801,'Issue',377,7,''),(6802,'Issue',377,3,'Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.'),(6803,'Issue',377,4,''),(6804,'Issue',377,5,'_False Positives_\nOther legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don\'t rely on it.'),(6805,'Issue',377,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\*\\\\PROCEXP152.sys) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*))))\nindex: so-*\nname: Suspicious PROCEXP152.sys File Created In TMP\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6806,'Issue',377,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PROCEXP152.sys File Created In TMP\nid: 3da70954-0f2c-4103-adff-b7440368f50e\ndescription: Detects the creation of the PROCEXP152.sys file in the application-data\n  local temporary folder. This driver is used by Sysinternals Process Explorer but\n  also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n  which uses KDU.\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n    TargetFilename: \'*\\AppData\\Local\\Temp\\*\\PROCEXP152.sys\'\n  selection_2:\n    Image|contains:\n    - \'*\\procexp64.exe\'\n    - \'*\\procexp.exe\'\n    - \'*\\procmon64.exe\'\n    - \'*\\procmon.exe\'\n  condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools using this driver and filename (like Sysinternals). Note -\n  Clever attackers may easily bypass this detection by just renaming the driver filename.\n  Therefore just Medium-level and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6807,'Issue',377,15,'T1089'),(6808,'Issue',378,1,'Suspicious Program Location with Network Connections'),(6809,'Issue',378,2,'Florian Roth'),(6810,'Issue',378,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6811,'Issue',378,10,'high'),(6812,'Issue',378,13,'community'),(6813,'Issue',378,14,'windows'),(6814,'Issue',378,15,''),(6815,'Issue',378,11,'58575f239'),(6816,'Issue',378,12,'7b434893-c57d-4f41-908d-6a17bf1ae98f'),(6817,'Issue',378,16,'win-sysmon'),(6818,'Issue',378,17,''),(6819,'Issue',378,7,''),(6820,'Issue',378,3,'Detects programs with network connections running in suspicious files system locations'),(6821,'Issue',378,4,''),(6822,'Issue',378,5,'_False Positives_\nunknown'),(6823,'Issue',378,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR *\\\\Users\\\\Contacts\\\\* OR *\\\\Users\\\\Searches\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Suspicious Program Location with Network Connections\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6824,'Issue',378,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Program Location with Network Connections\nid: 7b434893-c57d-4f41-908d-6a17bf1ae98f\nstatus: experimental\ndescription: Detects programs with network connections running in suspicious files\n  system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n  product: windows\n  service: sysmon\n  definition: Use the following config to generate the necessary Event ID 3 Network\n    Connection events\ndetection:\n  selection:\n    EventID: 3\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\All Users\\\\*\'\n    - \'*\\Users\\Default\\\\*\'\n    - \'*\\Users\\Public\\\\*\'\n    - \'*\\Users\\Contacts\\\\*\'\n    - \'*\\Users\\Searches\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\config\\systemprofile\\\\*\'\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6825,'Issue',379,1,'Suspicious Outbound RDP Connections'),(6826,'Issue',379,2,'Markus Neis - Swisscom'),(6827,'Issue',379,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708'),(6828,'Issue',379,10,'high'),(6829,'Issue',379,13,'community'),(6830,'Issue',379,14,'windows'),(6832,'Issue',379,11,'9f1b0b238'),(6833,'Issue',379,12,'ed74fe75-7594-4b4b-ae38-e38e3fd2eb23'),(6834,'Issue',379,16,'win-sysmon'),(6835,'Issue',379,17,''),(6836,'Issue',379,7,''),(6837,'Issue',379,3,'Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement'),(6838,'Issue',379,4,''),(6839,'Issue',379,5,'_False Positives_\nOther Remote Desktop RDP tools'),(6840,'Issue',379,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"3389\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))\nindex: so-*\nname: Suspicious Outbound RDP Connections\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6841,'Issue',379,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Outbound RDP Connections\nid: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23\nstatus: experimental\ndescription: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible\n  lateral movement\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\nauthor: Markus Neis - Swisscom\ndate: 2019/05/15\ntags:\n- attack.lateral_movement\n- attack.t1210\n- car.2013-07-002\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort: 3389\n    Initiated: \'true\'\n  filter:\n    Image:\n    - \'*\\mstsc.exe\'\n    - \'*\\RTSApp.exe\'\n    - \'*\\RTS2App.exe\'\n    - \'*\\RDCMan.exe\'\n    - \'*\\ws_TunnelService.exe\'\n    - \'*\\RSSensor.exe\'\n    - \'*\\RemoteDesktopManagerFree.exe\'\n    - \'*\\RemoteDesktopManager.exe\'\n    - \'*\\RemoteDesktopManager64.exe\'\n    - \'*\\mRemoteNG.exe\'\n    - \'*\\mRemote.exe\'\n    - \'*\\Terminals.exe\'\n    - \'*\\spiceworks-finder.exe\'\n    - \'*\\FSDiscovery.exe\'\n    - \'*\\FSAssessment.exe\'\n    - \'*\\MobaRTE.exe\'\n    - \'*\\chrome.exe\'\n    - \'*\\thor.exe\'\n    - \'*\\thor64.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Other Remote Desktop RDP tools\nlevel: high\n\n
\n}}'),(6842,'Issue',379,15,'T1210'),(6843,'Issue',380,1,'Registry Persistence via Explorer Run Key'),(6844,'Issue',380,2,'Florian Roth'),(6845,'Issue',380,8,'https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/'),(6846,'Issue',380,10,'high'),(6847,'Issue',380,13,'community'),(6848,'Issue',380,14,'windows'),(6850,'Issue',380,11,'d976ce159'),(6851,'Issue',380,12,'b7916c2a-fa2f-4795-9477-32b731f70f11'),(6852,'Issue',380,16,'win-sysmon'),(6853,'Issue',380,17,''),(6854,'Issue',380,7,''),(6855,'Issue',380,3,'Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder'),(6856,'Issue',380,4,''),(6857,'Issue',380,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nImage\nParentImage'),(6858,'Issue',380,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run AND event_data.Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\ProgramData\\\\* OR *\\\\AppData\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Temp\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\*))\nindex: so-*\nname: Registry Persistence via Explorer Run Key\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6859,'Issue',380,9,'{{collapse(View Sigma)\n
\n\ntitle: Registry Persistence via Explorer Run Key\nid: b7916c2a-fa2f-4795-9477-32b731f70f11\nstatus: experimental\ndescription: Detects a possible persistence mechanism using RUN key for Windows Explorer\n  and pointing to a suspicious folder\nauthor: Florian Roth\ndate: 2018/07/18\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: \'*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\'\n    Details:\n    - C:\\Windows\\Temp\\\\*\n    - C:\\ProgramData\\\\*\n    - \'*\\AppData\\\\*\'\n    - C:\\$Recycle.bin\\\\*\n    - C:\\Temp\\\\*\n    - C:\\Users\\Public\\\\*\n    - C:\\Users\\Default\\\\*\n  condition: selection\ntags:\n- attack.persistence\n- attack.t1060\n- capec.270\nfields:\n- Image\n- ParentImage\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6860,'Issue',380,15,'T1060'),(6861,'Issue',381,1,'New RUN Key Pointing to Suspicious Folder'),(6862,'Issue',381,2,'Florian Roth, Markus Neis'),(6863,'Issue',381,8,'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html'),(6864,'Issue',381,10,'high'),(6865,'Issue',381,13,'community'),(6866,'Issue',381,14,'windows'),(6868,'Issue',381,11,'321e02b21'),(6869,'Issue',381,12,'02ee49e2-e294-4d0f-9278-f5b3212fc588'),(6870,'Issue',381,16,'win-sysmon'),(6871,'Issue',381,17,''),(6872,'Issue',381,7,''),(6873,'Issue',381,3,'Detects suspicious new RUN key element pointing to an executable in a suspicious folder'),(6874,'Issue',381,4,''),(6875,'Issue',381,5,'_False Positives_\nSoftware using the AppData folders for updates\n\n_Interesting Log Fields_\nImage'),(6876,'Issue',381,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND event_data.Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR %AppData%\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR %Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR wscript* OR cscript*)) AND (NOT (event_data.Details.keyword:(*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\*))))\nindex: so-*\nname: New RUN Key Pointing to Suspicious Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6877,'Issue',381,9,'{{collapse(View Sigma)\n
\n\ntitle: New RUN Key Pointing to Suspicious Folder\nid: 02ee49e2-e294-4d0f-9278-f5b3212fc588\nstatus: experimental\ndescription: Detects suspicious new RUN key element pointing to an executable in a\n  suspicious folder\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\nauthor: Florian Roth, Markus Neis\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2018/08/25\nmodified: 2020/02/26\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\*\'\n    Details:\n    - \'*C:\\Windows\\Temp\\\\*\'\n    - \'*\\AppData\\\\*\'\n    - \'%AppData%\\\\*\'\n    - \'*C:\\$Recycle.bin\\\\*\'\n    - \'*C:\\Temp\\\\*\'\n    - \'*C:\\Users\\Public\\\\*\'\n    - \'%Public%\\\\*\'\n    - \'*C:\\Users\\Default\\\\*\'\n    - \'*C:\\Users\\Desktop\\\\*\'\n    - wscript*\n    - cscript*\n  filter:\n    Details|contains:\n    - \\AppData\\Local\\Microsoft\\OneDrive\\\n  condition: selection and not filter\nfields:\n- Image\nfalsepositives:\n- Software using the AppData folders for updates\nlevel: high\n\n
\n}}'),(6878,'Issue',381,15,'T1060'),(6879,'Issue',382,1,'Suspicious Service Installed'),(6880,'Issue',382,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6881,'Issue',382,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6882,'Issue',382,10,'medium'),(6883,'Issue',382,13,'community'),(6884,'Issue',382,14,'windows'),(6886,'Issue',382,11,'9842ac371'),(6887,'Issue',382,12,'f2485272-a156-4773-82d7-1d178bc4905b'),(6888,'Issue',382,16,'win-sysmon'),(6889,'Issue',382,17,''),(6890,'Issue',382,7,''),(6891,'Issue',382,3,'Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)'),(6892,'Issue',382,4,''),(6893,'Issue',382,5,'_False Positives_\nOther legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don\'t rely on it.'),(6894,'Issue',382,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath\")) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*)))) AND (NOT (event_data.Details.keyword:(*\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS*))))\nindex: so-*\nname: Suspicious Service Installed\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6895,'Issue',382,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Service Installed\nid: f2485272-a156-4773-82d7-1d178bc4905b\ndescription: Detects installation of NalDrv or PROCEXP152 services via registry-keys\n  to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n  which uses KDU (https://github.com/hfiref0x/KDU)\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 13\n    TargetObject:\n    - HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath\n    - HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath\n  selection_2:\n    Image|contains:\n    - \'*\\procexp64.exe\'\n    - \'*\\procexp.exe\'\n    - \'*\\procmon64.exe\'\n    - \'*\\procmon.exe\'\n  selection_3:\n    Details|contains:\n    - \'*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS\'\n  condition: selection_1 and not selection_2 and not selection_3\nfalsepositives:\n- Other legimate tools using this service names and drivers. Note - clever attackers\n  may easily bypass this detection by just renaming the services. Therefore just Medium-level\n  and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6896,'Issue',382,15,'T1089'),(6897,'Issue',383,1,'VBA DLL Loaded Via Microsoft Word'),(6898,'Issue',383,2,'Antonlovesdnb'),(6899,'Issue',383,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6900,'Issue',383,10,'high'),(6901,'Issue',383,13,'community'),(6902,'Issue',383,14,'windows'),(6904,'Issue',383,11,'53eb4530b'),(6905,'Issue',383,12,'e6ce8457-68b1-485b-9bdd-3c2b5d679aa9'),(6906,'Issue',383,16,'win-sysmon'),(6907,'Issue',383,17,''),(6908,'Issue',383,7,''),(6909,'Issue',383,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros'),(6910,'Issue',383,4,''),(6911,'Issue',383,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6912,'Issue',383,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\VBE7.DLL* OR *\\\\VBEUI.DLL* OR *\\\\VBE7INTL.DLL*))\nindex: so-*\nname: VBA DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6913,'Issue',383,9,'{{collapse(View Sigma)\n
\n\ntitle: VBA DLL Loaded Via Microsoft Word\nid: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe*\'\n    - \'*\\powerpnt.exe*\'\n    - \'*\\excel.exe*\'\n    - \'*\\outlook.exe*\'\n    ImageLoaded:\n    - \'*\\VBE7.DLL*\'\n    - \'*\\VBEUI.DLL*\'\n    - \'*\\VBE7INTL.DLL*\'\n  condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6914,'Issue',383,15,'T1193'),(6915,'Issue',384,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word'),(6916,'Issue',384,2,'Michael R. (@nahamike01)'),(6917,'Issue',384,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nhttps://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\nhttps://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf'),(6918,'Issue',384,10,'high'),(6919,'Issue',384,13,'community'),(6920,'Issue',384,14,'windows'),(6922,'Issue',384,11,'b23e2aa5c'),(6923,'Issue',384,12,'a457f232-7df9-491d-898f-b5aabd2cbe2f'),(6924,'Issue',384,16,'win-sysmon'),(6925,'Issue',384,17,''),(6926,'Issue',384,7,''),(6927,'Issue',384,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands'),(6928,'Issue',384,4,''),(6929,'Issue',384,5,'_False Positives_\nPossible. Requires further testing.'),(6930,'Issue',384,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\wbemdisp.dll OR *\\\\wbemsvc.dll))\nindex: so-*\nname: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6931,'Issue',384,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\nid: a457f232-7df9-491d-898f-b5aabd2cbe2f\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\n- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\n- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf\nauthor: Michael R. (@nahamike01)\ndate: 2019/12/26\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\winword.exe\'\n    - \'*\\powerpnt.exe\'\n    - \'*\\excel.exe\'\n    - \'*\\outlook.exe\'\n    ImageLoaded:\n    - \'*\\wmiutils.dll\'\n    - \'*\\wbemcomn.dll\'\n    - \'*\\wbemprox.dll\'\n    - \'*\\wbemdisp.dll\'\n    - \'*\\wbemsvc.dll\'\n  condition: selection\nfalsepositives:\n- Possible. Requires further testing.\nlevel: high\n\n
\n}}'),(6932,'Issue',384,15,'T1047'),(6933,'Issue',385,1,'Suspicious Keyboard Layout Load'),(6934,'Issue',385,2,'Florian Roth'),(6935,'Issue',385,8,'https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\nhttps://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'),(6936,'Issue',385,10,'medium'),(6937,'Issue',385,13,'community'),(6938,'Issue',385,14,'windows'),(6939,'Issue',385,15,''),(6940,'Issue',385,11,'496ab3e58'),(6941,'Issue',385,12,'34aa0252-6039-40ff-951f-939fd6ce47d8'),(6942,'Issue',385,16,'win-sysmon'),(6943,'Issue',385,17,''),(6944,'Issue',385,7,''),(6945,'Issue',385,3,'Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only'),(6946,'Issue',385,4,''),(6947,'Issue',385,5,'_False Positives_\nAdministrators or users that actually use the selected keyboard layouts (heavily depends on the organisation\'s user base)'),(6948,'Issue',385,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Keyboard\\ Layout\\\\Preload\\* OR *\\\\Keyboard\\ Layout\\\\Substitutes\\*) AND event_data.Details.keyword:(*00000429* OR *00050429* OR *0000042a*))\nindex: so-*\nname: Suspicious Keyboard Layout Load\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6949,'Issue',385,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Keyboard Layout Load\nid: 34aa0252-6039-40ff-951f-939fd6ce47d8\ndescription: Detects the keyboard preload installation with a suspicious keyboard\n  layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems\n  maintained by US staff only\nreferences:\n- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\n- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\nauthor: Florian Roth\ndate: 2019/10/12\nmodified: 2019/10/15\nlogsource:\n  product: windows\n  service: sysmon\n  definition: \'Requirements: Sysmon config that monitors \\Keyboard Layout\\Preload\n    subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\'\ndetection:\n  selection_registry:\n    EventID: 13\n    TargetObject:\n    - \'*\\Keyboard Layout\\Preload\\*\'\n    - \'*\\Keyboard Layout\\Substitutes\\*\'\n    Details|contains:\n    - 429\n    - 50429\n    - 0000042a\n  condition: selection_registry\nfalsepositives:\n- Administrators or users that actually use the selected keyboard layouts (heavily\n  depends on the organisation\'s user base)\nlevel: medium\n\n
\n}}'),(6950,'Issue',386,1,'Suspicious Outbound Kerberos Connection'),(6951,'Issue',386,2,'Ilyas Ochkov, oscd.community'),(6952,'Issue',386,8,'https://github.com/GhostPack/Rubeus8'),(6953,'Issue',386,10,'high'),(6954,'Issue',386,13,'community'),(6955,'Issue',386,14,'windows'),(6957,'Issue',386,11,'b61a1dd2a'),(6958,'Issue',386,12,'e54979bd-c5f9-4d6c-967b-a04b19ac4c74'),(6959,'Issue',386,16,'win-sysmon'),(6960,'Issue',386,17,''),(6961,'Issue',386,7,''),(6962,'Issue',386,3,'Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.'),(6963,'Issue',386,4,''),(6964,'Issue',386,5,'_False Positives_\nOther browsers'),(6965,'Issue',386,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"88\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\lsass.exe OR *\\\\opera.exe OR *\\\\chrome.exe OR *\\\\firefox.exe))))\nindex: so-*\nname: Suspicious Outbound Kerberos Connection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6966,'Issue',386,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Outbound Kerberos Connection\nid: e54979bd-c5f9-4d6c-967b-a04b19ac4c74\nstatus: experimental\ndescription: Detects suspicious outbound network activity via kerberos default port\n  indicating possible lateral movement or first stage PrivEsc via delegation.\nreferences:\n- https://github.com/GhostPack/Rubeus8\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/24\nmodified: 2019/11/13\ntags:\n- attack.lateral_movement\n- attack.t1208\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    DestinationPort: 88\n    Initiated: \'true\'\n  filter:\n    Image|endswith:\n    - \\lsass.exe\n    - \\opera.exe\n    - \\chrome.exe\n    - \\firefox.exe\n  condition: selection and not filter\nfalsepositives:\n- Other browsers\nlevel: high\n\n
\n}}'),(6967,'Issue',386,15,'T1208'),(6968,'Issue',387,1,'Suspicious Remote Thread Created'),(6969,'Issue',387,2,'Perez Diego (@darkquassar), oscd.community'),(6970,'Issue',387,8,'Personal research, statistical analysis\nhttps://lolbas-project.github.io'),(6971,'Issue',387,10,'high'),(6972,'Issue',387,13,'community'),(6973,'Issue',387,14,'windows'),(6975,'Issue',387,11,'d107c9166'),(6976,'Issue',387,12,'66d31e5f-52d6-40a4-9615-002d3789a119'),(6977,'Issue',387,16,'win-sysmon'),(6978,'Issue',387,17,''),(6979,'Issue',387,7,''),(6980,'Issue',387,3,'Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.'),(6981,'Issue',387,4,''),(6982,'Issue',387,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage'),(6983,'Issue',387,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\bash.exe OR *\\\\cvtres.exe OR *\\\\defrag.exe OR *\\\\dnx.exe OR *\\\\esentutl.exe OR *\\\\excel.exe OR *\\\\expand.exe OR *\\\\explorer.exe OR *\\\\find.exe OR *\\\\findstr.exe OR *\\\\forfiles.exe OR *\\\\git.exe OR *\\\\gpupdate.exe OR *\\\\hh.exe OR *\\\\iexplore.exe OR *\\\\installutil.exe OR *\\\\lync.exe OR *\\\\makecab.exe OR *\\\\mDNSResponder.exe OR *\\\\monitoringhost.exe OR *\\\\msbuild.exe OR *\\\\mshta.exe OR *\\\\msiexec.exe OR *\\\\mspaint.exe OR *\\\\outlook.exe OR *\\\\ping.exe OR *\\\\powerpnt.exe OR *\\\\powershell.exe OR *\\\\provtool.exe OR *\\\\python.exe OR *\\\\regsvr32.exe OR *\\\\robocopy.exe OR *\\\\runonce.exe OR *\\\\sapcimc.exe OR *\\\\schtasks.exe OR *\\\\smartscreen.exe OR *\\\\spoolsv.exe OR *\\\\tstheme.exe OR *\\\\userinit.exe OR *\\\\vssadmin.exe OR *\\\\vssvc.exe OR *\\\\w3wp.exe* OR *\\\\winlogon.exe OR *\\\\winscp.exe OR *\\\\wmic.exe OR *\\\\word.exe OR *\\\\wscript.exe)) AND (NOT (event_data.SourceImage.keyword:*Visual\\ Studio*)))\nindex: so-*\nname: Suspicious Remote Thread Created\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(6984,'Issue',387,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Remote Thread Created\nid: 66d31e5f-52d6-40a4-9615-002d3789a119\ndescription: Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\",\n  however, this is still largely observed in the wild. This rule aims to detect suspicious\n  processes (those we would not expect to behave in this way like word.exe or outlook.exe)\n  creating remote threads on other processes. It is a generalistic rule, but it should\n  have a low FP ratio due to the selected range of processes.\nnotes:\n- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite\n  for process injection for .NET in-memory offensive tools.\nstatus: experimental\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- Personal research, statistical analysis\n- https://lolbas-project.github.io\nlogsource:\n  product: windows\n  service: sysmon\ntags:\n- attack.privilege_escalation\n- attack.t1055\ndetection:\n  selection:\n    EventID: 8\n    SourceImage|endswith:\n    - \\bash.exe\n    - \\cvtres.exe\n    - \\defrag.exe\n    - \\dnx.exe\n    - \\esentutl.exe\n    - \\excel.exe\n    - \\expand.exe\n    - \\explorer.exe\n    - \\find.exe\n    - \\findstr.exe\n    - \\forfiles.exe\n    - \\git.exe\n    - \\gpupdate.exe\n    - \\hh.exe\n    - \\iexplore.exe\n    - \\installutil.exe\n    - \\lync.exe\n    - \\makecab.exe\n    - \\mDNSResponder.exe\n    - \\monitoringhost.exe\n    - \\msbuild.exe\n    - \\mshta.exe\n    - \\msiexec.exe\n    - \\mspaint.exe\n    - \\outlook.exe\n    - \\ping.exe\n    - \\powerpnt.exe\n    - \\powershell.exe\n    - \\provtool.exe\n    - \\python.exe\n    - \\regsvr32.exe\n    - \\robocopy.exe\n    - \\runonce.exe\n    - \\sapcimc.exe\n    - \\schtasks.exe\n    - \\smartscreen.exe\n    - \\spoolsv.exe\n    - \\tstheme.exe\n    - \\userinit.exe\n    - \\vssadmin.exe\n    - \\vssvc.exe\n    - \\w3wp.exe*\n    - \\winlogon.exe\n    - \\winscp.exe\n    - \\wmic.exe\n    - \\word.exe\n    - \\wscript.exe\n  filter:\n    SourceImage|contains: Visual Studio\n  condition: selection AND NOT filter\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\nlevel: high\nfalsepositives:\n- Unknown\n\n
\n}}'),(6985,'Issue',387,15,'T1055'),(6986,'Issue',388,1,'Svchost DLL Search Order Hijack'),(6987,'Issue',388,2,'SBousseaden'),(6988,'Issue',388,8,'https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992'),(6989,'Issue',388,10,'high'),(6990,'Issue',388,13,'community'),(6991,'Issue',388,14,'windows'),(6993,'Issue',388,11,'6ca7b2b85'),(6994,'Issue',388,12,'602a1f13-c640-4d73-b053-be9a2fa58b77'),(6995,'Issue',388,16,'win-sysmon'),(6996,'Issue',388,17,''),(6997,'Issue',388,7,''),(6998,'Issue',388,3,'IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.'),(6999,'Issue',388,4,''),(7000,'Issue',388,5,'_False Positives_\nPentest'),(7001,'Issue',388,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded.keyword:(*\\\\tsmsisrv.dll OR *\\\\tsvipsrv.dll OR *\\\\wlbsctrl.dll)) AND (NOT (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded:(\"C\\:\\\\Windows\\\\WinSxS\\*\"))))\nindex: so-*\nname: Svchost DLL Search Order Hijack\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7002,'Issue',388,9,'{{collapse(View Sigma)\n
\n\ntitle: Svchost DLL Search Order Hijack\nid: 602a1f13-c640-4d73-b053-be9a2fa58b77\nstatus: experimental\ndescription: IKEEXT and SessionEnv service, as they call LoadLibrary on files that\n  do not exist within C:\\Windows\\System32\\ by default. An attacker can place their\n  malicious logic within the PROCESS_ATTACH block of their library and restart the\n  aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote\n  machine.\nreferences:\n- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\nauthor: SBousseaden\ndate: 2019/10/28\ntags:\n- attack.persistence\n- attack.defense_evasion\n- attack.t1073\n- attack.t1038\n- attack.t1112\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image:\n    - \'*\\svchost.exe\'\n    ImageLoaded:\n    - \'*\\tsmsisrv.dll\'\n    - \'*\\tsvipsrv.dll\'\n    - \'*\\wlbsctrl.dll\'\n  filter:\n    EventID: 7\n    Image:\n    - \'*\\svchost.exe\'\n    ImageLoaded:\n    - C:\\Windows\\WinSxS\\*\n  condition: selection and not filter\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(7003,'Issue',388,15,'T1073'),(7004,'Issue',388,15,'T1038'),(7005,'Issue',388,15,'T1112'),(7006,'Issue',389,1,'Hijack Legit RDP Session to Move Laterally'),(7007,'Issue',389,2,'Samir Bousseaden'),(7008,'Issue',389,8,'none'),(7009,'Issue',389,10,'high'),(7010,'Issue',389,13,'community'),(7011,'Issue',389,14,'windows'),(7012,'Issue',389,15,''),(7013,'Issue',389,11,'edf49a6c5'),(7014,'Issue',389,12,'52753ea4-b3a0-4365-910d-36cff487b789'),(7015,'Issue',389,16,'win-sysmon'),(7016,'Issue',389,17,''),(7017,'Issue',389,7,''),(7018,'Issue',389,3,'Detects the usage of tsclient share to place a backdoor on the RDP source machine\'s startup folder'),(7019,'Issue',389,4,''),(7020,'Issue',389,5,'_False Positives_\nunknown'),(7021,'Issue',389,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable.keyword:*\\\\mstsc.exe AND TargetFileName.keyword:*\\\\Microsoft\\\\Windows\\\\Start\\ Menu\\\\Programs\\\\Startup\\\\*)\nindex: so-*\nname: Hijack Legit RDP Session to Move Laterally\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7022,'Issue',389,9,'{{collapse(View Sigma)\n
\n\ntitle: Hijack Legit RDP Session to Move Laterally\nid: 52753ea4-b3a0-4365-910d-36cff487b789\nstatus: experimental\ndescription: Detects the usage of tsclient share to place a backdoor on the RDP source\n  machine\'s startup folder\ndate: 2019/02/21\nauthor: Samir Bousseaden\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    Image: \'*\\mstsc.exe\'\n    TargetFileName: \'*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7023,'Issue',390,1,'UAC Bypass via Event Viewer'),(7024,'Issue',390,2,'Florian Roth'),(7025,'Issue',390,8,'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nhttps://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100'),(7026,'Issue',390,10,'critical'),(7027,'Issue',390,13,'community'),(7028,'Issue',390,14,'windows'),(7030,'Issue',390,11,'266938263'),(7031,'Issue',390,12,'7c81fec3-1c1d-43b0-996a-46753041b1b6'),(7032,'Issue',390,16,'win-sysmon'),(7033,'Issue',390,17,''),(7034,'Issue',390,7,''),(7035,'Issue',390,3,'Detects UAC bypass method using Windows event viewer'),(7036,'Issue',390,4,''),(7037,'Issue',390,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7038,'Issue',390,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*\\\\mscfile\\\\shell\\\\open\\\\command) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND process.parent.executable.keyword:*\\\\eventvwr.exe) AND (NOT (process.executable.keyword:*\\\\mmc.exe)))))\nindex: so-*\nname: UAC Bypass via Event Viewer\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7039,'Issue',390,9,'{{collapse(View Sigma)\n
\n\ntitle: UAC Bypass via Event Viewer\nid: 7c81fec3-1c1d-43b0-996a-46753041b1b6\nstatus: experimental\ndescription: Detects UAC bypass method using Windows event viewer\nreferences:\n- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  methregistry:\n    EventID: 13\n    TargetObject: HKU\\\\*\\mscfile\\shell\\open\\command\n  methprocess:\n    EventID: 1\n    ParentImage: \'*\\eventvwr.exe\'\n  filterprocess:\n    Image: \'*\\mmc.exe\'\n  condition: methregistry or ( methprocess and not filterprocess )\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7040,'Issue',390,15,'T1088'),(7041,'Issue',391,1,'UAC Bypass via Sdclt'),(7042,'Issue',391,2,'Omer Yampel'),(7043,'Issue',391,8,'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'),(7044,'Issue',391,10,'high'),(7045,'Issue',391,13,'community'),(7046,'Issue',391,14,'windows'),(7048,'Issue',391,11,'269c211ef'),(7049,'Issue',391,12,'5b872a46-3b90-45c1-8419-f675db8053aa'),(7050,'Issue',391,16,'win-sysmon'),(7051,'Issue',391,17,''),(7052,'Issue',391,7,''),(7053,'Issue',391,3,'Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand'),(7054,'Issue',391,4,''),(7055,'Issue',391,5,'_False Positives_\nunknown'),(7056,'Issue',391,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand)\nindex: so-*\nname: UAC Bypass via Sdclt\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7057,'Issue',391,9,'{{collapse(View Sigma)\n
\n\ntitle: UAC Bypass via Sdclt\nid: 5b872a46-3b90-45c1-8419-f675db8053aa\nstatus: experimental\ndescription: Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand\nreferences:\n- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\nauthor: Omer Yampel\ndate: 2017/03/17\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 13\n    TargetObject: HKU\\\\*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand\n  condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7058,'Issue',391,15,'T1088'),(7059,'Issue',392,1,'Unsigned Image Loaded Into LSASS Process'),(7060,'Issue',392,2,'Teymur Kheirkhabarov, oscd.community'),(7061,'Issue',392,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(7062,'Issue',392,10,'medium'),(7063,'Issue',392,13,'community'),(7064,'Issue',392,14,'windows'),(7066,'Issue',392,11,'23f5b5af8'),(7067,'Issue',392,12,'857c8db3-c89b-42fb-882b-f681c7cf4da2'),(7068,'Issue',392,16,'win-sysmon'),(7069,'Issue',392,17,''),(7070,'Issue',392,7,''),(7071,'Issue',392,3,'Loading unsigned image (DLL, EXE) into LSASS process'),(7072,'Issue',392,4,''),(7073,'Issue',392,5,'_False Positives_\nValid user connecting using RDP'),(7074,'Issue',392,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:*\\\\lsass.exe AND Signed:\"false\")\nindex: so-*\nname: Unsigned Image Loaded Into LSASS Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7075,'Issue',392,9,'{{collapse(View Sigma)\n
\n\ntitle: Unsigned Image Loaded Into LSASS Process\nid: 857c8db3-c89b-42fb-882b-f681c7cf4da2\ndescription: Loading unsigned image (DLL, EXE) into LSASS process\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image|endswith: \\lsass.exe\n    Signed: \'false\'\n  condition: selection\nfalsepositives:\n- Valid user connecting using RDP\nstatus: experimental\nlevel: medium\n\n
\n}}'),(7076,'Issue',392,15,'T1003'),(7077,'Issue',393,1,'Windows Webshell Creation'),(7078,'Issue',393,2,'Beyu Denis, oscd.community'),(7079,'Issue',393,8,'PT ESC rule and personal experience'),(7080,'Issue',393,10,'critical'),(7081,'Issue',393,13,'community'),(7082,'Issue',393,14,'windows'),(7084,'Issue',393,11,'2f30d8784'),(7085,'Issue',393,12,'39f1f9f2-9636-45de-98f6-a4046aa8e4b9'),(7086,'Issue',393,16,'win-sysmon'),(7087,'Issue',393,17,''),(7088,'Issue',393,7,''),(7089,'Issue',393,3,'Possible webshell file creation on a static web site'),(7090,'Issue',393,4,''),(7091,'Issue',393,5,'_False Positives_\nLegitimate administrator or developer creating legitimate executable files in a web application folder'),(7092,'Issue',393,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event_data.TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND event_data.TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (event_data.TargetFilename.keyword:(*\\\\www\\* OR *\\\\htdocs\\* OR *\\\\html\\*) AND event_data.TargetFilename.keyword:*.ph*))) OR (event_data.TargetFilename.keyword:*.jsp OR (event_data.TargetFilename.keyword:*\\\\cgi\\-bin\\* AND event_data.TargetFilename.keyword:*.pl*))))\nindex: so-*\nname: Windows Webshell Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7093,'Issue',393,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Webshell Creation\nid: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9\nstatus: experimental\ndescription: Possible webshell file creation on a static web site\nreferences:\n- PT ESC rule and personal experience\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1100\nlevel: critical\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_1:\n    EventID: 11\n  selection_2:\n    TargetFilename|contains: \\inetpub\\wwwroot\\\n  selection_3:\n    TargetFilename|contains:\n    - .asp\n    - .ashx\n    - .ph\n  selection_4:\n    TargetFilename|contains:\n    - \\www\\\n    - \\htdocs\\\n    - \\html\\\n  selection_5:\n    TargetFilename|contains: .ph\n  selection_6:\n  - TargetFilename|endswith: .jsp\n  - TargetFilename|contains|all:\n    - \\cgi-bin\\\n    - .pl\n  condition: selection_1 and ( selection_2 and selection_3 ) or selection_1 and (\n    selection_4 and selection_5 ) or selection_1 and selection_6\nfalsepositives:\n- Legitimate administrator or developer creating legitimate executable files in a\n  web application folder\n\n
\n}}'),(7094,'Issue',393,15,'T1100'),(7095,'Issue',394,1,'Microsoft Binary Github Communication'),(7096,'Issue',394,2,'Michael Haag (idea), Florian Roth (rule)'),(7097,'Issue',394,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7098,'Issue',394,10,'high'),(7099,'Issue',394,13,'community'),(7100,'Issue',394,14,'windows'),(7102,'Issue',394,11,'04a41c5fb'),(7103,'Issue',394,12,'635dbb88-67b3-4b41-9ea5-a3af2dd88153'),(7104,'Issue',394,16,'win-sysmon'),(7105,'Issue',394,17,''),(7106,'Issue',394,7,''),(7107,'Issue',394,3,'Detects an executable in the Windows folder accessing github.com'),(7108,'Issue',394,4,''),(7109,'Issue',394,5,'_False Positives_\nUnknown\n@subTee in your network'),(7110,'Issue',394,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Github Communication\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7111,'Issue',394,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Binary Github Communication\nid: 635dbb88-67b3-4b41-9ea5-a3af2dd88153\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing github.com\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Michael Haag (idea), Florian Roth (rule)\ndate: 2017/08/24\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationHostname:\n    - \'*.github.com\'\n    - \'*.githubusercontent.com\'\n    Image: C:\\Windows\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\n- \'@subTee in your network\'\nlevel: high\n\n
\n}}'),(7112,'Issue',394,15,'T1105'),(7113,'Issue',395,1,'Microsoft Binary Suspicious Communication Endpoint'),(7114,'Issue',395,2,'Florian Roth'),(7115,'Issue',395,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7116,'Issue',395,10,'high'),(7117,'Issue',395,13,'community'),(7118,'Issue',395,14,'windows'),(7120,'Issue',395,11,'847f9c649'),(7121,'Issue',395,12,'e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97'),(7122,'Issue',395,16,'win-sysmon'),(7123,'Issue',395,17,''),(7124,'Issue',395,7,''),(7125,'Issue',395,3,'Detects an executable in the Windows folder accessing suspicious domains'),(7126,'Issue',395,4,''),(7127,'Issue',395,5,'_False Positives_\nUnknown'),(7128,'Issue',395,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Suspicious Communication Endpoint\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7129,'Issue',395,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Binary Suspicious Communication Endpoint\nid: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing suspicious domains\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Florian Roth\ndate: 2018/08/30\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 3\n    Initiated: \'true\'\n    DestinationHostname:\n    - \'*dl.dropboxusercontent.com\'\n    - \'*.pastebin.com\'\n    - \'*.githubusercontent.com\'\n    Image: C:\\Windows\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7130,'Issue',395,15,'T1105'),(7131,'Issue',396,1,'Registry Persistence Mechanisms'),(7132,'Issue',396,2,'Karneades'),(7133,'Issue',396,8,'https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/'),(7134,'Issue',396,10,'critical'),(7135,'Issue',396,13,'community'),(7136,'Issue',396,14,'windows'),(7138,'Issue',396,11,'b6d5e6bc2'),(7139,'Issue',396,12,'36803969-5421-41ec-b92f-8500f79c23b0'),(7140,'Issue',396,16,'win-sysmon'),(7141,'Issue',396,17,''),(7142,'Issue',396,7,''),(7143,'Issue',396,3,'Detects persistence registry keys'),(7144,'Issue',396,4,''),(7145,'Issue',396,5,'_False Positives_\nunknown'),(7146,'Issue',396,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\*\\\\GlobalFlag OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess) AND event_data.EventType:\"SetValue\")\nindex: so-*\nname: Registry Persistence Mechanisms\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7147,'Issue',396,9,'{{collapse(View Sigma)\n
\n\ntitle: Registry Persistence Mechanisms\nid: 36803969-5421-41ec-b92f-8500f79c23b0\ndescription: Detects persistence registry keys\nreferences:\n- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\ndate: 2018/04/11\nauthor: Karneades\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection_reg1:\n    EventID: 13\n    TargetObject:\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\GlobalFlag\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\ReportingMode\'\n    - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\MonitorProcess\'\n    EventType: SetValue\n  condition: selection_reg1\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.defense_evasion\n- attack.t1183\n- car.2013-01-002\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7148,'Issue',396,15,'T1183'),(7149,'Issue',397,1,'WMI Event Subscription'),(7150,'Issue',397,2,'Tom Ueltschi (@c_APT_ure)'),(7151,'Issue',397,8,'https://attack.mitre.org/techniques/T1084/'),(7152,'Issue',397,10,'high'),(7153,'Issue',397,13,'community'),(7154,'Issue',397,14,'windows'),(7156,'Issue',397,11,'9dd7ef828'),(7157,'Issue',397,12,'0f06a3a5-6a09-413f-8743-e6cf35561297'),(7158,'Issue',397,16,'win-sysmon'),(7159,'Issue',397,17,''),(7160,'Issue',397,7,''),(7161,'Issue',397,3,'Detects creation of WMI event subscription persistence method'),(7162,'Issue',397,4,''),(7163,'Issue',397,5,'_False Positives_\nexclude legitimate (vetted) use of WMI event subscription in your network'),(7164,'Issue',397,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"19\" OR \"20\" OR \"21\"))\nindex: so-*\nname: WMI Event Subscription\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7165,'Issue',397,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Event Subscription\nid: 0f06a3a5-6a09-413f-8743-e6cf35561297\nstatus: experimental\ndescription: Detects creation of WMI event subscription persistence method\nreferences:\n- https://attack.mitre.org/techniques/T1084/\ntags:\n- attack.t1084\n- attack.persistence\nauthor: Tom Ueltschi (@c_APT_ure)\ndate: 2019/01/12\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selector:\n    EventID:\n    - 19\n    - 20\n    - 21\n  condition: selector\nfalsepositives:\n- exclude legitimate (vetted) use of WMI event subscription in your network\nlevel: high\n\n
\n}}'),(7166,'Issue',397,15,'T1084'),(7167,'Issue',398,1,'WMI Modules Loaded'),(7168,'Issue',398,2,'Roberto Rodriguez @Cyb3rWard0g'),(7169,'Issue',398,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md'),(7170,'Issue',398,10,'high'),(7171,'Issue',398,13,'community'),(7172,'Issue',398,14,'windows'),(7174,'Issue',398,11,'eaf1ac318'),(7175,'Issue',398,12,'671bb7e3-a020-4824-a00e-2ee5b55f385e'),(7176,'Issue',398,16,'win-sysmon'),(7177,'Issue',398,17,''),(7178,'Issue',398,7,''),(7179,'Issue',398,3,'Detects non wmiprvse loading WMI modules'),(7180,'Issue',398,4,''),(7181,'Issue',398,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(7182,'Issue',398,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\wmiclnt.dll OR *\\\\WmiApRpl.dll OR *\\\\wmiprov.dll OR *\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\WMINet_Utils.dll OR *\\\\wbemsvc.dll OR *\\\\fastprox.dll)) AND (NOT (process.executable.keyword:(*\\\\WmiPrvSe.exe OR *\\\\WmiPrvSE.exe OR *\\\\WmiAPsrv.exe OR *\\\\svchost.exe))))\nindex: so-*\nname: WMI Modules Loaded\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7183,'Issue',398,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Modules Loaded\nid: 671bb7e3-a020-4824-a00e-2ee5b55f385e\ndescription: Detects non wmiprvse loading WMI modules\nstatus: experimental\ndate: 2019/08/10\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    ImageLoaded|endswith:\n    - \\wmiclnt.dll\n    - \\WmiApRpl.dll\n    - \\wmiprov.dll\n    - \\wmiutils.dll\n    - \\wbemcomn.dll\n    - \\wbemprox.dll\n    - \\WMINet_Utils.dll\n    - \\wbemsvc.dll\n    - \\fastprox.dll\n  filter:\n    Image|endswith:\n    - \\WmiPrvSe.exe\n    - \\WmiPrvSE.exe\n    - \\WmiAPsrv.exe\n    - \\svchost.exe\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7184,'Issue',398,15,'T1047'),(7185,'Issue',399,1,'WMI Persistence - Command Line Event Consumer'),(7186,'Issue',399,2,'Thomas Patzke'),(7187,'Issue',399,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7188,'Issue',399,10,'high'),(7189,'Issue',399,13,'community'),(7190,'Issue',399,14,'windows'),(7192,'Issue',399,11,'9e9efa320'),(7193,'Issue',399,12,'05936ce2-ee05-4dae-9d03-9a391cf2d2c6'),(7194,'Issue',399,16,'win-sysmon'),(7195,'Issue',399,17,''),(7196,'Issue',399,7,''),(7197,'Issue',399,3,'Detects WMI command line event consumers'),(7198,'Issue',399,4,''),(7199,'Issue',399,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7200,'Issue',399,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable:\"C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\" AND event_data.ImageLoaded:\"wbemcons.dll\")\nindex: so-*\nname: WMI Persistence - Command Line Event Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7201,'Issue',399,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Command Line Event Consumer\nid: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6\nstatus: experimental\ndescription: Detects WMI command line event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 7\n    Image: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\n    ImageLoaded: wbemcons.dll\n  condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7202,'Issue',399,15,'T1084'),(7203,'Issue',400,1,'WMI Persistence - Script Event Consumer File Write'),(7204,'Issue',400,2,'Thomas Patzke'),(7205,'Issue',400,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7206,'Issue',400,10,'high'),(7207,'Issue',400,13,'community'),(7208,'Issue',400,14,'windows'),(7210,'Issue',400,11,'9ec7edf07'),(7211,'Issue',400,12,'33f41cdd-35ac-4ba8-814b-c6a4244a1ad4'),(7212,'Issue',400,16,'win-sysmon'),(7213,'Issue',400,17,''),(7214,'Issue',400,7,''),(7215,'Issue',400,3,'Detects file writes of WMI script event consumer'),(7216,'Issue',400,4,''),(7217,'Issue',400,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7218,'Issue',400,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer File Write\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7219,'Issue',400,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Script Event Consumer File Write\nid: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4\nstatus: experimental\ndescription: Detects file writes of WMI script event consumer\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 11\n    Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n  condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7220,'Issue',400,15,'T1084'),(7221,'Issue',401,1,'Suspicious Scripting in a WMI Consumer'),(7222,'Issue',401,2,'Florian Roth'),(7223,'Issue',401,8,'https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19'),(7224,'Issue',401,10,'high'),(7225,'Issue',401,13,'community'),(7226,'Issue',401,14,'windows'),(7228,'Issue',401,11,'5e0c4b4b2'),(7229,'Issue',401,12,'fe21810c-2a8c-478f-8dd3-5a287fb2a0e0'),(7230,'Issue',401,16,'win-sysmon'),(7231,'Issue',401,17,''),(7232,'Issue',401,7,''),(7233,'Issue',401,3,'Detects suspicious scripting in WMI Event Consumers'),(7234,'Issue',401,4,''),(7235,'Issue',401,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7236,'Issue',401,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"20\" AND Destination.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(* OR *\\ iex\\(* OR *WScript.shell* OR *\\ \\-nop\\ * OR *\\ \\-noprofile\\ * OR *\\ \\-decode\\ * OR *\\ \\-enc\\ *))\nindex: so-*\nname: Suspicious Scripting in a WMI Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7237,'Issue',401,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Scripting in a WMI Consumer\nid: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0\nstatus: experimental\ndescription: Detects suspicious scripting in WMI Event Consumers\nauthor: Florian Roth\nreferences:\n- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\n- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19\ndate: 2019/04/15\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  product: windows\n  service: sysmon\ndetection:\n  selection:\n    EventID: 20\n    Destination:\n    - \'*new-object system.net.webclient).downloadstring(*\'\n    - \'*new-object system.net.webclient).downloadfile(*\'\n    - \'*new-object net.webclient).downloadstring(*\'\n    - \'*new-object net.webclient).downloadfile(*\'\n    - \'* iex(*\'\n    - \'*WScript.shell*\'\n    - \'* -nop *\'\n    - \'* -noprofile *\'\n    - \'* -decode *\'\n    - \'* -enc *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(7238,'Issue',401,15,'T1086'),(7239,'Issue',402,1,'APT29'),(7240,'Issue',402,2,'Florian Roth'),(7241,'Issue',402,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/'),(7242,'Issue',402,10,'critical'),(7243,'Issue',402,13,'community'),(7244,'Issue',402,14,'windows'),(7246,'Issue',402,11,'3eea01490'),(7247,'Issue',402,12,'033fe7d6-66d1-4240-ac6b-28908009c71f'),(7248,'Issue',402,16,'win-proc'),(7249,'Issue',402,17,''),(7250,'Issue',402,7,''),(7251,'Issue',402,3,'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks'),(7252,'Issue',402,4,''),(7253,'Issue',402,5,'_False Positives_\nunknown'),(7254,'Issue',402,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\-noni\\ \\-ep\\ bypass\\ $*)\nindex: so-*\nname: APT29\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7255,'Issue',402,9,'{{collapse(View Sigma)\n
\n\ntitle: APT29\nid: 033fe7d6-66d1-4240-ac6b-28908009c71f\ndescription: This method detects a suspicious powershell command line combination\n  as used by APT29 in a campaign against US think tanks\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\ntags:\n- attack.execution\n- attack.g0016\n- attack.t1086\nauthor: Florian Roth\ndate: 2018/12/04\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*-noni -ep bypass $*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7256,'Issue',402,15,'T1086'),(7257,'Issue',403,1,'Baby Shark Activity'),(7258,'Issue',403,2,'Florian Roth'),(7259,'Issue',403,8,'https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(7260,'Issue',403,10,'high'),(7261,'Issue',403,13,'community'),(7262,'Issue',403,14,'windows'),(7264,'Issue',403,11,'e1e3ed75c'),(7265,'Issue',403,12,'2b30fa36-3a18-402f-a22d-bf4ce2189f35'),(7266,'Issue',403,16,'win-proc'),(7267,'Issue',403,17,''),(7268,'Issue',403,7,''),(7269,'Issue',403,3,'Detects activity that could be related to Baby Shark malware'),(7270,'Issue',403,4,''),(7271,'Issue',403,5,'_False Positives_\nunknown'),(7272,'Issue',403,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(reg\\ query\\ \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\\ Server\\ Client\\\\Default\\\" OR powershell.exe\\ mshta.exe\\ http* OR cmd.exe\\ \\/c\\ taskkill\\ \\/im\\ cmd.exe))\nindex: so-*\nname: Baby Shark Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7273,'Issue',403,9,'{{collapse(View Sigma)\n
\n\ntitle: Baby Shark Activity\nid: 2b30fa36-3a18-402f-a22d-bf4ce2189f35\nstatus: experimental\ndescription: Detects activity that could be related to Baby Shark malware\nreferences:\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1086\n- attack.discovery\n- attack.t1012\n- attack.defense_evasion\n- attack.t1170\nlogsource:\n  category: process_creation\n  product: windows\nauthor: Florian Roth\ndate: 2019/02/24\ndetection:\n  selection:\n    CommandLine:\n    - reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\n    - powershell.exe mshta.exe http*\n    - cmd.exe /c taskkill /im cmd.exe\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7274,'Issue',403,15,'T1059'),(7275,'Issue',403,15,'T1086'),(7276,'Issue',403,15,'T1012'),(7277,'Issue',403,15,'T1170'),(7278,'Issue',404,1,'Judgement Panda Credential Access Activity'),(7279,'Issue',404,2,'Florian Roth'),(7280,'Issue',404,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7281,'Issue',404,10,'critical'),(7282,'Issue',404,13,'community'),(7283,'Issue',404,14,'windows'),(7285,'Issue',404,11,'ebeeba7dd'),(7286,'Issue',404,12,'b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee'),(7287,'Issue',404,16,'win-proc'),(7288,'Issue',404,17,''),(7289,'Issue',404,7,''),(7290,'Issue',404,3,'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike'),(7291,'Issue',404,4,''),(7292,'Issue',404,5,'_False Positives_\nunknown'),(7293,'Issue',404,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\xcopy.exe AND process.command_line.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (process.executable.keyword:*\\\\adexplorer.exe AND process.command_line.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*)))\nindex: so-*\nname: Judgement Panda Credential Access Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7294,'Issue',404,9,'{{collapse(View Sigma)\n
\n\ntitle: Judgement Panda Credential Access Activity\nid: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee\ndescription: Detects Russian group activity as described in Global Threat Report 2019\n  by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.credential_access\n- attack.t1081\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\xcopy.exe\'\n    CommandLine: \'* /S /E /C /Q /H \\\\*\'\n  selection2:\n    Image: \'*\\adexplorer.exe\'\n    CommandLine: \'* -snapshot \"\" c:\\users\\\\*\'\n  condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7295,'Issue',404,15,'T1081'),(7296,'Issue',404,15,'T1003'),(7297,'Issue',405,1,'BlueMashroom DLL Load'),(7298,'Issue',405,2,'Florian Roth'),(7299,'Issue',405,8,'https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software'),(7300,'Issue',405,10,'critical'),(7301,'Issue',405,13,'community'),(7302,'Issue',405,14,'windows'),(7304,'Issue',405,11,'8bb8cf273'),(7305,'Issue',405,12,'bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0'),(7306,'Issue',405,16,'win-proc'),(7307,'Issue',405,17,''),(7308,'Issue',405,7,''),(7309,'Issue',405,3,'Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report'),(7310,'Issue',405,4,''),(7311,'Issue',405,5,'_False Positives_\nUnlikely'),(7312,'Issue',405,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*))\nindex: so-*\nname: BlueMashroom DLL Load\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7313,'Issue',405,9,'{{collapse(View Sigma)\n
\n\ntitle: BlueMashroom DLL Load\nid: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0\nstatus: experimental\ndescription: Detects a suspicious DLL loading from AppData Local path as described\n  in BlueMashroom report\nreferences:\n- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software\ntags:\n- attack.defense_evasion\n- attack.t1117\nauthor: Florian Roth\ndate: 2019/10/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\regsvr32*\\AppData\\Local\\\\*\'\n    - \'*\\AppData\\Local\\\\*,DllEntry*\'\n  condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7314,'Issue',405,15,'T1117'),(7315,'Issue',406,1,'WMIExec VBS Script'),(7316,'Issue',406,2,'Florian Roth'),(7317,'Issue',406,8,'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf'),(7318,'Issue',406,10,'critical'),(7319,'Issue',406,13,'community'),(7320,'Issue',406,14,'windows'),(7322,'Issue',406,11,'5b1ed0159'),(7323,'Issue',406,12,'966e4016-627f-44f7-8341-f394905c361f'),(7324,'Issue',406,16,'win-proc'),(7325,'Issue',406,17,''),(7326,'Issue',406,7,''),(7327,'Issue',406,3,'Detects suspicious file execution by wscript and cscript'),(7328,'Issue',406,4,''),(7329,'Issue',406,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7330,'Issue',406,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cscript.exe AND process.command_line.keyword:*.vbs\\ \\/shell\\ *)\nindex: so-*\nname: WMIExec VBS Script\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7331,'Issue',406,9,'{{collapse(View Sigma)\n
\n\ntitle: WMIExec VBS Script\nid: 966e4016-627f-44f7-8341-f394905c361f\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Florian Roth\ndate: 2017/04/07\nreferences:\n- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\ntags:\n- attack.execution\n- attack.g0045\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\cscript.exe\'\n    CommandLine: \'*.vbs /shell *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7332,'Issue',406,15,'T1064'),(7333,'Issue',407,1,'CrackMapExecWin'),(7334,'Issue',407,2,'Markus Neis'),(7335,'Issue',407,8,'https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control'),(7336,'Issue',407,10,'critical'),(7337,'Issue',407,13,'community'),(7338,'Issue',407,14,'windows'),(7339,'Issue',407,15,''),(7340,'Issue',407,11,'3fa886226'),(7341,'Issue',407,12,'04d9079e-3905-4b70-ad37-6bdf11304965'),(7342,'Issue',407,16,'win-proc'),(7343,'Issue',407,17,''),(7344,'Issue',407,7,''),(7345,'Issue',407,3,'Detects CrackMapExecWin Activity as Described by NCSC'),(7346,'Issue',407,4,''),(7347,'Issue',407,5,'_False Positives_\nNone'),(7348,'Issue',407,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\crackmapexec.exe))\nindex: so-*\nname: CrackMapExecWin\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7349,'Issue',407,9,'{{collapse(View Sigma)\n
\n\ntitle: CrackMapExecWin\nid: 04d9079e-3905-4b70-ad37-6bdf11304965\ndescription: Detects CrackMapExecWin Activity as Described by NCSC\nstatus: experimental\nreferences:\n- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control\ntags:\n- attack.g0035\nauthor: Markus Neis\ndate: 2018/04/08\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\crackmapexec.exe\'\n  condition: selection\nfalsepositives:\n- None\nlevel: critical\n\n
\n}}'),(7350,'Issue',408,1,'Elise Backdoor'),(7351,'Issue',408,2,'Florian Roth'),(7352,'Issue',408,8,'https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting'),(7353,'Issue',408,10,'critical'),(7354,'Issue',408,13,'community'),(7355,'Issue',408,14,'windows'),(7356,'Issue',408,15,''),(7357,'Issue',408,11,'c59e20ad4'),(7358,'Issue',408,12,'e507feb7-5f73-4ef6-a970-91bb6f6d744f'),(7359,'Issue',408,16,'win-proc'),(7360,'Issue',408,17,''),(7361,'Issue',408,7,''),(7362,'Issue',408,3,'Detects Elise backdoor acitivty as used by APT32'),(7363,'Issue',408,4,''),(7364,'Issue',408,5,'_False Positives_\nUnknown'),(7365,'Issue',408,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable:\"C\\:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" AND process.command_line.keyword:*\\\\Windows\\\\Caches\\\\NavShExt.dll\\ *) OR process.command_line.keyword:*\\\\AppData\\\\Roaming\\\\MICROS\\~1\\\\Windows\\\\Caches\\\\NavShExt.dll,Setting))\nindex: so-*\nname: Elise Backdoor\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7366,'Issue',408,9,'{{collapse(View Sigma)\n
\n\ntitle: Elise Backdoor\nid: e507feb7-5f73-4ef6-a970-91bb6f6d744f\nstatus: experimental\ndescription: Detects Elise backdoor acitivty as used by APT32\nreferences:\n- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting\ntags:\n- attack.g0030\n- attack.g0050\n- attack.s0081\nauthor: Florian Roth\ndate: 2018/01/31\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: C:\\Windows\\SysWOW64\\cmd.exe\n    CommandLine: \'*\\Windows\\Caches\\NavShExt.dll *\'\n  selection2:\n    CommandLine: \'*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting\'\n  condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7367,'Issue',409,1,'Emissary Panda Malware SLLauncher'),(7368,'Issue',409,2,'Florian Roth'),(7369,'Issue',409,8,'https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\nhttps://twitter.com/cyb3rops/status/1168863899531132929'),(7370,'Issue',409,10,'critical'),(7371,'Issue',409,13,'community'),(7372,'Issue',409,14,'windows'),(7373,'Issue',409,15,''),(7374,'Issue',409,11,'5e4b7990b'),(7375,'Issue',409,12,'9aa01d62-7667-4d3b-acb8-8cb5103e2014'),(7376,'Issue',409,16,'win-proc'),(7377,'Issue',409,17,''),(7378,'Issue',409,7,''),(7379,'Issue',409,3,'Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27'),(7380,'Issue',409,4,''),(7381,'Issue',409,5,'_False Positives_\nUnknown'),(7382,'Issue',409,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\sllauncher.exe AND process.executable.keyword:*\\\\svchost.exe)\nindex: so-*\nname: Emissary Panda Malware SLLauncher\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7383,'Issue',409,9,'{{collapse(View Sigma)\n
\n\ntitle: Emissary Panda Malware SLLauncher\nid: 9aa01d62-7667-4d3b-acb8-8cb5103e2014\nstatus: experimental\ndescription: Detects the execution of DLL side-loading malware used by threat group\n  Emissary Panda aka APT27\nreferences:\n- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\n- https://twitter.com/cyb3rops/status/1168863899531132929\nauthor: Florian Roth\ndate: 2018/09/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\sllauncher.exe\'\n    Image: \'*\\svchost.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7384,'Issue',410,1,'Equation Group DLL_U Load'),(7385,'Issue',410,2,'Florian Roth'),(7386,'Issue',410,8,'https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\nhttps://securelist.com/apt-slingshot/84312/\nhttps://twitter.com/cyb3rops/status/972186477512839170'),(7387,'Issue',410,10,'critical'),(7388,'Issue',410,13,'community'),(7389,'Issue',410,14,'windows'),(7391,'Issue',410,11,'8d87ab96d'),(7392,'Issue',410,12,'d465d1d8-27a2-4cca-9621-a800f37cf72e'),(7393,'Issue',410,16,'win-proc'),(7394,'Issue',410,17,''),(7395,'Issue',410,7,''),(7396,'Issue',410,3,'Detects a specific tool and export used by EquationGroup'),(7397,'Issue',410,4,''),(7398,'Issue',410,5,'_False Positives_\nUnknown'),(7399,'Issue',410,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*,dll_u) OR process.command_line.keyword:*\\ \\-export\\ dll_u\\ *))\nindex: so-*\nname: Equation Group DLL_U Load\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7400,'Issue',410,9,'{{collapse(View Sigma)\n
\n\ntitle: Equation Group DLL_U Load\nid: d465d1d8-27a2-4cca-9621-a800f37cf72e\nauthor: Florian Roth\ndate: 2019/03/04\ndescription: Detects a specific tool and export used by EquationGroup\nreferences:\n- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\n- https://securelist.com/apt-slingshot/84312/\n- https://twitter.com/cyb3rops/status/972186477512839170\ntags:\n- attack.execution\n- attack.g0020\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\rundll32.exe\'\n    CommandLine: \'*,dll_u\'\n  selection2:\n    CommandLine: \'* -export dll_u *\'\n  condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7401,'Issue',410,15,'T1059'),(7402,'Issue',410,15,'T1085'),(7403,'Issue',411,1,'Hurricane Panda Activity'),(7404,'Issue',411,2,'Florian Roth'),(7405,'Issue',411,8,'https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/'),(7406,'Issue',411,10,'high'),(7407,'Issue',411,13,'community'),(7408,'Issue',411,14,'windows'),(7410,'Issue',411,11,'70b43689e'),(7411,'Issue',411,12,'0eb2107b-a596-422e-b123-b389d5594ed7'),(7412,'Issue',411,16,'win-proc'),(7413,'Issue',411,17,''),(7414,'Issue',411,7,''),(7415,'Issue',411,3,'Detects Hurricane Panda Activity'),(7416,'Issue',411,4,''),(7417,'Issue',411,5,'_False Positives_\nUnknown'),(7418,'Issue',411,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ localgroup\\ administrators\\ admin\\ \\/add OR *\\\\Win64.exe*))\nindex: so-*\nname: Hurricane Panda Activity\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7419,'Issue',411,9,'{{collapse(View Sigma)\n
\n\ntitle: Hurricane Panda Activity\nid: 0eb2107b-a596-422e-b123-b389d5594ed7\nauthor: Florian Roth\ndate: 2019/03/04\nstatus: experimental\ndescription: Detects Hurricane Panda Activity\nreferences:\n- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\ntags:\n- attack.privilege_escalation\n- attack.g0009\n- attack.t1068\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* localgroup administrators admin /add\'\n    - \'*\\Win64.exe*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7420,'Issue',411,15,'T1068'),(7421,'Issue',412,1,'Judgement Panda Exfil Activity'),(7422,'Issue',412,2,'Florian Roth'),(7423,'Issue',412,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7424,'Issue',412,10,'critical'),(7425,'Issue',412,13,'community'),(7426,'Issue',412,14,'windows'),(7428,'Issue',412,11,'7b23cf39c'),(7429,'Issue',412,12,'03e2746e-2b31-42f1-ab7a-eb39365b2422'),(7430,'Issue',412,16,'win-proc'),(7431,'Issue',412,17,''),(7432,'Issue',412,7,''),(7433,'Issue',412,3,'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike'),(7434,'Issue',412,4,''),(7435,'Issue',412,5,'_False Positives_\nunknown'),(7436,'Issue',412,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*\\\\ldifde.exe\\ \\-f\\ \\-n\\ * OR *\\\\7za.exe\\ a\\ 1.7z\\ * OR *\\ eprod.ldf OR *\\\\aaaa\\\\procdump64.exe* OR *\\\\aaaa\\\\netsess.exe* OR *\\\\aaaa\\\\7za.exe* OR *copy\\ .\\\\1.7z\\ \\\\* OR *copy\\ \\\\client\\\\c$\\\\aaaa\\\\*) OR process.executable:\"C\\:\\\\Users\\\\Public\\\\7za.exe\"))\nindex: so-*\nname: Judgement Panda Exfil Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7437,'Issue',412,9,'{{collapse(View Sigma)\n
\n\ntitle: Judgement Panda Exfil Activity\nid: 03e2746e-2b31-42f1-ab7a-eb39365b2422\ndescription: Detects Judgement Panda activity as described in Global Threat Report\n  2019 by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.lateral_movement\n- attack.g0010\n- attack.credential_access\n- attack.t1098\n- attack.exfiltration\n- attack.t1002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*\\ldifde.exe -f -n *\'\n    - \'*\\7za.exe a 1.7z *\'\n    - \'* eprod.ldf\'\n    - \'*\\aaaa\\procdump64.exe*\'\n    - \'*\\aaaa\\netsess.exe*\'\n    - \'*\\aaaa\\7za.exe*\'\n    - \'*copy .\\1.7z \\\\*\'\n    - \'*copy \\\\client\\c$\\aaaa\\\\*\'\n  selection2:\n    Image: C:\\Users\\Public\\7za.exe\n  condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7438,'Issue',412,15,'T1098'),(7439,'Issue',412,15,'T1002'),(7440,'Issue',413,1,'Mustang Panda Dropper'),(7441,'Issue',413,2,'Florian Roth'),(7442,'Issue',413,8,'https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\nhttps://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations'),(7443,'Issue',413,10,'high'),(7444,'Issue',413,13,'community'),(7445,'Issue',413,14,'windows'),(7446,'Issue',413,15,''),(7447,'Issue',413,11,'aad32826a'),(7448,'Issue',413,12,'2d87d610-d760-45ee-a7e6-7a6f2a65de00'),(7449,'Issue',413,16,'win-proc'),(7450,'Issue',413,17,''),(7451,'Issue',413,7,''),(7452,'Issue',413,3,'Detects specific process parameters as used by Mustang Panda droppers'),(7453,'Issue',413,4,''),(7454,'Issue',413,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7455,'Issue',413,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\*.txt\\\"\\ \\/F OR *\\/tn\\ \\\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR process.executable.keyword:(*Temp\\\\winwsh.exe)))\nindex: so-*\nname: Mustang Panda Dropper\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7456,'Issue',413,9,'{{collapse(View Sigma)\n
\n\ntitle: Mustang Panda Dropper\nid: 2d87d610-d760-45ee-a7e6-7a6f2a65de00\nstatus: experimental\ndescription: Detects specific process parameters as used by Mustang Panda droppers\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\n- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\n- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*Temp\\wtask.exe /create*\'\n    - \'*%windir:~-3,1%%PUBLIC:~-9,1%*\'\n    - \'*/E:vbscript * C:\\Users\\*.txt\" /F\'\n    - \'*/tn \"Security Script *\'\n    - \'*%windir:~-1,1%*\'\n  selection2:\n    Image:\n    - \'*Temp\\winwsh.exe\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(7457,'Issue',414,1,'Sofacy Trojan Loader Activity'),(7458,'Issue',414,2,'Florian Roth'),(7459,'Issue',414,8,'https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\nhttps://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\nhttps://twitter.com/ClearskySec/status/960924755355369472'),(7460,'Issue',414,10,'critical'),(7461,'Issue',414,13,'community'),(7462,'Issue',414,14,'windows'),(7464,'Issue',414,11,'6b2144b03'),(7465,'Issue',414,12,'ba778144-5e3d-40cf-8af9-e28fb1df1e20'),(7466,'Issue',414,16,'win-proc'),(7467,'Issue',414,17,''),(7468,'Issue',414,7,''),(7469,'Issue',414,3,'Detects Trojan loader acitivty as used by APT28'),(7470,'Issue',414,4,''),(7471,'Issue',414,5,'_False Positives_\nUnknown'),(7472,'Issue',414,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(rundll32.exe\\ %APPDATA%\\\\*.dat\\\",* OR rundll32.exe\\ %APPDATA%\\\\*.dll\\\",#1))\nindex: so-*\nname: Sofacy Trojan Loader Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7473,'Issue',414,9,'{{collapse(View Sigma)\n
\n\ntitle: Sofacy Trojan Loader Activity\nid: ba778144-5e3d-40cf-8af9-e28fb1df1e20\nauthor: Florian Roth\nstatus: experimental\ndate: 2018/03/01\ndescription: Detects Trojan loader acitivty as used by APT28\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\n- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\n- https://twitter.com/ClearskySec/status/960924755355369472\ntags:\n- attack.g0007\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\n- car.2013-10-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - rundll32.exe %APPDATA%\\\\*.dat\",*\n    - rundll32.exe %APPDATA%\\\\*.dll\",#1\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7474,'Issue',414,15,'T1059'),(7475,'Issue',414,15,'T1085'),(7476,'Issue',415,1,'Ps.exe Renamed SysInternals Tool'),(7477,'Issue',415,2,'Florian Roth'),(7478,'Issue',415,8,'https://www.us-cert.gov/ncas/alerts/TA17-293A'),(7479,'Issue',415,10,'high'),(7480,'Issue',415,13,'community'),(7481,'Issue',415,14,'windows'),(7483,'Issue',415,11,'0ec020dd0'),(7484,'Issue',415,12,'18da1007-3f26-470f-875d-f77faf1cab31'),(7485,'Issue',415,16,'win-proc'),(7486,'Issue',415,17,''),(7487,'Issue',415,7,''),(7488,'Issue',415,3,'Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report'),(7489,'Issue',415,4,''),(7490,'Issue',415,5,'_False Positives_\nRenamed SysInternals tool'),(7491,'Issue',415,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:\"ps.exe\\ \\-accepteula\")\nindex: so-*\nname: Ps.exe Renamed SysInternals Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7492,'Issue',415,9,'{{collapse(View Sigma)\n
\n\ntitle: Ps.exe Renamed SysInternals Tool\nid: 18da1007-3f26-470f-875d-f77faf1cab31\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe\n  as used by Dragonfly APT group and documented in TA17-293A report\nreferences:\n- https://www.us-cert.gov/ncas/alerts/TA17-293A\ntags:\n- attack.defense_evasion\n- attack.g0035\n- attack.t1036\n- car.2013-05-009\nauthor: Florian Roth\ndate: 2017/10/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: ps.exe -accepteula\n  condition: selection\nfalsepositives:\n- Renamed SysInternals tool\nlevel: high\n\n
\n}}'),(7493,'Issue',415,15,'T1036'),(7494,'Issue',416,1,'TropicTrooper Campaign November 2018'),(7495,'Issue',416,2,'@41thexplorer, Microsoft Defender ATP'),(7496,'Issue',416,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/'),(7497,'Issue',416,10,'high'),(7498,'Issue',416,13,'community'),(7499,'Issue',416,14,'windows'),(7501,'Issue',416,11,'95510b4d4'),(7502,'Issue',416,12,'8c7090c3-e0a0-4944-bd08-08c3a0cecf79'),(7503,'Issue',416,16,'win-proc'),(7504,'Issue',416,17,''),(7505,'Issue',416,7,''),(7506,'Issue',416,3,'Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia'),(7507,'Issue',416,4,''),(7508,'Issue',416,5,'_False Positives_\n Unknown'),(7509,'Issue',416,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*)\nindex: so-*\nname: TropicTrooper Campaign November 2018\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7510,'Issue',416,9,'{{collapse(View Sigma)\n
\n\ntitle: TropicTrooper Campaign November 2018\nid: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79\nauthor: \'@41thexplorer, Microsoft Defender ATP\'\nstatus: stable\ndate: 2019/11/12\ndescription: Detects TropicTrooper activity, an actor who targeted high-profile organizations\n  in the energy and food and beverage sectors in Asia\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/\ntags:\n- attack.execution\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*\'\n  condition: selection\nlevel: high\n\n
\n}}'),(7511,'Issue',416,15,'T1085'),(7512,'Issue',417,1,'Winnti Malware HK University Campaign'),(7513,'Issue',417,2,'Florian Roth, Markus Neis'),(7514,'Issue',417,8,'https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/'),(7515,'Issue',417,10,'critical'),(7516,'Issue',417,13,'community'),(7517,'Issue',417,14,'windows'),(7519,'Issue',417,11,'c6c18314b'),(7520,'Issue',417,12,'3121461b-5aa0-4a41-b910-66d25524edbb'),(7521,'Issue',417,16,'win-proc'),(7522,'Issue',417,17,''),(7523,'Issue',417,7,''),(7524,'Issue',417,3,'Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities'),(7525,'Issue',417,4,''),(7526,'Issue',417,5,'_False Positives_\nUnlikely'),(7527,'Issue',417,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*C\\:\\\\Windows\\\\Temp* OR *\\\\hpqhvind.exe*) AND process.executable.keyword:C\\:\\\\ProgramData\\\\DRM*) OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM* AND process.executable.keyword:*\\\\wmplayer.exe) OR (process.parent.executable.keyword:*\\\\Test.exe AND process.executable.keyword:*\\\\wmplayer.exe) OR process.executable:\"C\\:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe\" OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM\\\\Windows* AND process.executable.keyword:*\\\\SearchFilterHost.exe)))\nindex: so-*\nname: Winnti Malware HK University Campaign\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7528,'Issue',417,9,'{{collapse(View Sigma)\n
\n\ntitle: Winnti Malware HK University Campaign\nid: 3121461b-5aa0-4a41-b910-66d25524edbb\nstatus: experimental\ndescription: Detects specific process characteristics of Winnti malware noticed in\n  Dec/Jan 2020 in a campaign against Honk Kong universities\nreferences:\n- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.g0044\nauthor: Florian Roth, Markus Neis\ndate: 2020/02/01\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentImage|contains:\n    - C:\\Windows\\Temp\n    - \\hpqhvind.exe\n    Image|startswith: C:\\ProgramData\\DRM\n  selection2:\n    ParentImage|startswith: C:\\ProgramData\\DRM\n    Image|endswith: \\wmplayer.exe\n  selection3:\n    ParentImage|endswith: \\Test.exe\n    Image|endswith: \\wmplayer.exe\n  selection4:\n    Image: C:\\ProgramData\\DRM\\CLR\\CLR.exe\n  selection5:\n    ParentImage|startswith: C:\\ProgramData\\DRM\\Windows\n    Image|endswith: \\SearchFilterHost.exe\n  condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7529,'Issue',417,15,'T1073'),(7530,'Issue',418,1,'ZxShell Malware'),(7531,'Issue',418,2,'Florian Roth'),(7532,'Issue',418,8,'https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100'),(7533,'Issue',418,10,'critical'),(7534,'Issue',418,13,'community'),(7535,'Issue',418,14,'windows'),(7537,'Issue',418,11,'948a1b3c3'),(7538,'Issue',418,12,'f0b70adb-0075-43b0-9745-e82a1c608fcc'),(7539,'Issue',418,16,'win-proc'),(7540,'Issue',418,17,''),(7541,'Issue',418,7,''),(7542,'Issue',418,3,'Detects a ZxShell start by the called and well-known function name'),(7543,'Issue',418,4,''),(7544,'Issue',418,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7545,'Issue',418,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND Command.keyword:(rundll32.exe\\ *,zxFunction* OR rundll32.exe\\ *,RemoteDiskXXXXX))\nindex: so-*\nname: ZxShell Malware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7546,'Issue',418,9,'{{collapse(View Sigma)\n
\n\ntitle: ZxShell Malware\nid: f0b70adb-0075-43b0-9745-e82a1c608fcc\ndescription: Detects a ZxShell start by the called and well-known function name\nauthor: Florian Roth\ndate: 2017/07/20\nreferences:\n- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100\ntags:\n- attack.g0001\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Command:\n    - rundll32.exe *,zxFunction*\n    - rundll32.exe *,RemoteDiskXXXXX\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7547,'Issue',418,15,'T1059'),(7548,'Issue',418,15,'T1085'),(7549,'Issue',419,1,'Hiding Files with Attrib.exe'),(7550,'Issue',419,2,'Sami Ruohonen'),(7551,'Issue',419,8,'none'),(7552,'Issue',419,10,'low'),(7553,'Issue',419,13,'community'),(7554,'Issue',419,14,'windows'),(7556,'Issue',419,11,'3ac07f0c1'),(7557,'Issue',419,12,'4281cb20-2994-4580-aa63-c8b86d019934'),(7558,'Issue',419,16,'win-proc'),(7559,'Issue',419,17,''),(7560,'Issue',419,7,''),(7561,'Issue',419,3,'Detects usage of attrib.exe to hide files from users.'),(7562,'Issue',419,4,''),(7563,'Issue',419,5,'_False Positives_\nigfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)\nmsiexec.exe hiding desktop.ini\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7564,'Issue',419,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\ \\+h\\ *) AND (NOT (((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\desktop.ini\\ * OR (process.parent.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND process.parent.command_line.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat))))))\nindex: so-*\nname: Hiding Files with Attrib.exe\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7565,'Issue',419,9,'{{collapse(View Sigma)\n
\n\ntitle: Hiding Files with Attrib.exe\nid: 4281cb20-2994-4580-aa63-c8b86d019934\nstatus: experimental\ndescription: Detects usage of attrib.exe to hide files from users.\nauthor: Sami Ruohonen\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\attrib.exe\'\n    CommandLine: \'* +h *\'\n  ini:\n    CommandLine: \'*\\desktop.ini *\'\n  intel:\n    ParentImage: \'*\\cmd.exe\'\n    CommandLine: +R +H +S +A \\\\*.cui\n    ParentCommandLine: C:\\WINDOWS\\system32\\\\*.bat\n  condition: selection and not (ini or intel)\nfields:\n- CommandLine\n- ParentCommandLine\n- User\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1158\nfalsepositives:\n- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe\n  and igfxCUIService.exe is the parent of the cmd.exe)\n- msiexec.exe hiding desktop.ini\nlevel: low\n\n
\n}}'),(7566,'Issue',419,15,'T1158'),(7567,'Issue',420,1,'Modification of Boot Configuration'),(7568,'Issue',420,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(7569,'Issue',420,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html'),(7570,'Issue',420,10,'high'),(7571,'Issue',420,13,'community'),(7572,'Issue',420,14,'windows'),(7574,'Issue',420,11,'af9bb527e'),(7575,'Issue',420,12,'1444443e-6757-43e4-9ea4-c8fc705f79a2'),(7576,'Issue',420,16,'win-proc'),(7577,'Issue',420,17,''),(7578,'Issue',420,7,''),(7579,'Issue',420,3,'Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.'),(7580,'Issue',420,4,''),(7581,'Issue',420,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7582,'Issue',420,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\bcdedit.exe AND process.command_line:\"set\") AND ((process.command_line.keyword:*bootstatuspolicy* AND process.command_line.keyword:*ignoreallfailures*) OR (process.command_line.keyword:*recoveryenabled* AND process.command_line.keyword:*no*)))\nindex: so-*\nname: Modification of Boot Configuration\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7583,'Issue',420,9,'{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n    technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: \\bcdedit.exe\n        CommandLine|contains: set\n    selection2:\n        - CommandLine|contains|all:\n            - bootstatuspolicy\n            - ignoreallfailures\n        - CommandLine|contains|all:\n            - recoveryenabled\n            - \'no\'\n    condition: selection1 and selection2\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n\n
\n}}'),(7584,'Issue',420,15,'T1490'),(7585,'Issue',421,1,'SquiblyTwo'),(7586,'Issue',421,2,'Markus Neis / Florian Roth'),(7587,'Issue',421,8,'https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\nhttps://twitter.com/mattifestation/status/986280382042595328'),(7588,'Issue',421,10,'medium'),(7589,'Issue',421,13,'community'),(7590,'Issue',421,14,'windows'),(7592,'Issue',421,11,'0eab446eb'),(7593,'Issue',421,12,'8d63dadf-b91b-4187-87b6-34a1114577ea'),(7594,'Issue',421,16,'win-proc'),(7595,'Issue',421,17,''),(7596,'Issue',421,7,''),(7597,'Issue',421,3,'Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash'),(7598,'Issue',421,4,''),(7599,'Issue',421,5,'_False Positives_\nUnknown'),(7600,'Issue',421,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(wmic\\ *\\ *format\\:\\\\\\\"http* OR wmic\\ *\\ \\/format\\:\'http OR wmic\\ *\\ \\/format\\:http*)) OR (event_data.Imphash:(\"1B1A3F43BF37B5BFE60751F2EE2F326E\" OR \"37777A96245A3C74EB217308F3546F4C\" OR \"9D87C9D67CE724033C0B40CC4CA1B206\") AND process.command_line.keyword:(*\\ *format\\:\\\\\\\"http* OR *\\ \\/format\\:\'http OR *\\ \\/format\\:http*))))\nindex: so-*\nname: SquiblyTwo\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7601,'Issue',421,9,'{{collapse(View Sigma)\n
\n\ntitle: SquiblyTwo\nid: 8d63dadf-b91b-4187-87b6-34a1114577ea\nstatus: experimental\ndescription: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for\n  imphash\nreferences:\n- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\n- https://twitter.com/mattifestation/status/986280382042595328\ntags:\n- attack.defense_evasion\n- attack.t1047\nauthor: Markus Neis / Florian Roth\ndate: 2019/01/16\nfalsepositives:\n- Unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\wmic.exe\'\n    CommandLine:\n    - wmic * *format:\\\"http*\n    - wmic * /format:\'http\n    - wmic * /format:http*\n  selection2:\n    Imphash:\n    - 1B1A3F43BF37B5BFE60751F2EE2F326E\n    - 37777A96245A3C74EB217308F3546F4C\n    - 9D87C9D67CE724033C0B40CC4CA1B206\n    CommandLine:\n    - \'* *format:\\\"http*\'\n    - \"* /format:\'http\"\n    - \'* /format:http*\'\n  condition: 1 of them\n\n
\n}}'),(7602,'Issue',421,15,'T1047'),(7603,'Issue',422,1,'Change Default File Association'),(7604,'Issue',422,2,'Timur Zinniatullin, oscd.community'),(7605,'Issue',422,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml'),(7606,'Issue',422,10,'low'),(7607,'Issue',422,13,'community'),(7608,'Issue',422,14,'windows'),(7610,'Issue',422,11,'d63bbd05e'),(7611,'Issue',422,12,'3d3aa6cd-6272-44d6-8afc-7e88dfef7061'),(7612,'Issue',422,16,'win-proc'),(7613,'Issue',422,17,''),(7614,'Issue',422,7,''),(7615,'Issue',422,3,'When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.'),(7616,'Issue',422,4,''),(7617,'Issue',422,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7618,'Issue',422,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*assoc*)\nindex: so-*\nname: Change Default File Association\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7619,'Issue',422,9,'{{collapse(View Sigma)\n
\n\ntitle: Change Default File Association\nid: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061\nstatus: experimental\ndescription: When a file is opened, the default program used to open the file (also\n  called the file association or handler) is checked. File association selections\n  are stored in the Windows Registry and can be edited by users, administrators, or\n  programs that have Registry access or by administrators using the built-in assoc\n  utility. Applications can modify the file association for a given file extension\n  to call an arbitrary program when a file with the given extension is opened.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - cmd\n    - /c\n    - assoc\n  condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.persistence\n- attack.t1042\n\n
\n}}'),(7620,'Issue',422,15,'T1042'),(7621,'Issue',423,1,'Cmdkey Cached Credentials Recon'),(7622,'Issue',423,2,'jmallette'),(7623,'Issue',423,8,'https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\nhttps://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx'),(7624,'Issue',423,10,'low'),(7625,'Issue',423,13,'community'),(7626,'Issue',423,14,'windows'),(7628,'Issue',423,11,'38a2cfd6c'),(7629,'Issue',423,12,'07f8bdc2-c9b3-472a-9817-5a670b872f53'),(7630,'Issue',423,16,'win-proc'),(7631,'Issue',423,17,''),(7632,'Issue',423,7,''),(7633,'Issue',423,3,'Detects usage of cmdkey to look for cached credentials'),(7634,'Issue',423,4,''),(7635,'Issue',423,5,'_False Positives_\nLegitimate administrative tasks.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7636,'Issue',423,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\ \\/list\\ *)\nindex: so-*\nname: Cmdkey Cached Credentials Recon\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7637,'Issue',423,9,'{{collapse(View Sigma)\n
\n\ntitle: Cmdkey Cached Credentials Recon\nid: 07f8bdc2-c9b3-472a-9817-5a670b872f53\nstatus: experimental\ndescription: Detects usage of cmdkey to look for cached credentials\nreferences:\n- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\n- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx\nauthor: jmallette\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\cmdkey.exe\'\n    CommandLine: \'* /list *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\n- User\nfalsepositives:\n- Legitimate administrative tasks.\nlevel: low\n\n
\n}}'),(7638,'Issue',423,15,'T1003'),(7639,'Issue',424,1,'CMSTP UAC Bypass via COM Object Access'),(7640,'Issue',424,2,'Nik Seetharaman'),(7641,'Issue',424,8,'http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nhttps://twitter.com/hFireF0X/status/897640081053364225'),(7642,'Issue',424,10,'high'),(7643,'Issue',424,13,'community'),(7644,'Issue',424,14,'windows'),(7646,'Issue',424,11,'bdaa50dae'),(7647,'Issue',424,12,'4b60e6f2-bf39-47b4-b4ea-398e33cfe253'),(7648,'Issue',424,16,'win-proc'),(7649,'Issue',424,17,''),(7650,'Issue',424,7,''),(7651,'Issue',424,3,'Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects'),(7652,'Issue',424,4,''),(7653,'Issue',424,5,'_False Positives_\nLegitimate CMSTP use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nHashes'),(7654,'Issue',424,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\DllHost.exe AND process.parent.command_line.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))\nindex: so-*\nname: CMSTP UAC Bypass via COM Object Access\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7655,'Issue',424,9,'{{collapse(View Sigma)\n
\n\ntitle: CMSTP UAC Bypass via COM Object Access\nid: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253\nstatus: stable\ndescription: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile\n  Installer Autoelevate-capable COM Objects\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.execution\n- attack.t1088\n- attack.t1191\n- attack.g0069\n- car.2019-04-001\nauthor: Nik Seetharaman\nmodified: 2019/07/31\ndate: 2019/01/16\nreferences:\n- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\n- https://twitter.com/hFireF0X/status/897640081053364225\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentCommandLine: \'*\\DllHost.exe\'\n  selection2:\n    ParentCommandLine:\n    - \'*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\'\n    - \'*{3E000D72-A845-4CD9-BD83-80C07C3B881F}\'\n  condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentCommandLine\n- Hashes\nfalsepositives:\n- Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(7656,'Issue',424,15,'T1088'),(7657,'Issue',424,15,'T1191'),(7658,'Issue',425,1,'Control Panel Items'),(7659,'Issue',425,2,'Kyaw Min Thein'),(7660,'Issue',425,8,'none'),(7661,'Issue',425,10,'critical'),(7662,'Issue',425,13,'community'),(7663,'Issue',425,14,'windows'),(7665,'Issue',425,11,'10df22d5c'),(7666,'Issue',425,12,'0ba863e6-def5-4e50-9cea-4dd8c7dc46a4'),(7667,'Issue',425,16,'win-proc'),(7668,'Issue',425,17,''),(7669,'Issue',425,7,''),(7670,'Issue',425,3,'Detects the use of a control panel item (.cpl) outside of the System32 folder'),(7671,'Issue',425,4,''),(7672,'Issue',425,5,'_False Positives_\nUnknown'),(7673,'Issue',425,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*.cpl AND (NOT (process.command_line.keyword:(*\\\\System32\\\\* OR *%System%*))))\nindex: so-*\nname: Control Panel Items\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7674,'Issue',425,9,'{{collapse(View Sigma)\n
\n\ntitle: Control Panel Items\nid: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4\nstatus: experimental\ndescription: Detects the use of a control panel item (.cpl) outside of the System32\n  folder\nreference:\n- https://attack.mitre.org/techniques/T1196/\ntags:\n- attack.execution\n- attack.t1196\n- attack.defense_evasion\nauthor: Kyaw Min Thein\ndate: 2019/08/27\nlevel: critical\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    CommandLine: \'*.cpl\'\n  filter:\n    CommandLine:\n    - \'*\\System32\\\\*\'\n    - \'*%System%*\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\n\n
\n}}'),(7675,'Issue',425,15,'T1196'),(7676,'Issue',426,1,'Copying Sensitive Files with Credential Data'),(7677,'Issue',426,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(7678,'Issue',426,8,'https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/'),(7679,'Issue',426,10,'high'),(7680,'Issue',426,13,'community'),(7681,'Issue',426,14,'windows'),(7683,'Issue',426,11,'7971e8131'),(7684,'Issue',426,12,'e7be6119-fc37-43f0-ad4f-1f3f99be2f9f'),(7685,'Issue',426,16,'win-proc'),(7686,'Issue',426,17,''),(7687,'Issue',426,7,''),(7688,'Issue',426,3,'Files with well-known filenames (sensitive files with credential data) copying'),(7689,'Issue',426,4,''),(7690,'Issue',426,5,'_False Positives_\nCopying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator'),(7691,'Issue',426,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\esentutl.exe AND process.command_line.keyword:(*vss* OR *\\ \\/m\\ * OR *\\ \\/y\\ *)) OR process.command_line.keyword:(*\\\\windows\\\\ntds\\\\ntds.dit* OR *\\\\config\\\\sam* OR *\\\\config\\\\security* OR *\\\\config\\\\system\\ * OR *\\\\repair\\\\sam* OR *\\\\repair\\\\system* OR *\\\\repair\\\\security* OR *\\\\config\\\\RegBack\\\\sam* OR *\\\\config\\\\RegBack\\\\system* OR *\\\\config\\\\RegBack\\\\security*)))\nindex: so-*\nname: Copying Sensitive Files with Credential Data\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7692,'Issue',426,9,'{{collapse(View Sigma)\n
\n\ntitle: Copying Sensitive Files with Credential Data\nid: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f\ndescription: Files with well-known filenames (sensitive files with credential data)\n  copying\nstatus: experimental\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\esentutl.exe\n    CommandLine|contains:\n    - vss\n    - \' /m \'\n    - \' /y \'\n  - CommandLine|contains:\n    - \\windows\\ntds\\ntds.dit\n    - \\config\\sam\n    - \\config\\security\n    - \'\\config\\system \'\n    - \\repair\\sam\n    - \\repair\\system\n    - \\repair\\security\n    - \\config\\RegBack\\sam\n    - \\config\\RegBack\\system\n    - \\config\\RegBack\\security\n  condition: selection\nfalsepositives:\n- Copying sensitive files for legitimate use (eg. backup) or forensic investigation\n  by legitimate incident responder or forensic invetigator\nlevel: high\n\n
\n}}'),(7693,'Issue',426,15,'T1003'),(7694,'Issue',427,1,'Fireball Archer Install'),(7695,'Issue',427,2,'Florian Roth'),(7696,'Issue',427,8,'https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\nhttps://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100'),(7697,'Issue',427,10,'high'),(7698,'Issue',427,13,'community'),(7699,'Issue',427,14,'windows'),(7701,'Issue',427,11,'7652cf061'),(7702,'Issue',427,12,'3d4aebe0-6d29-45b2-a8a4-3dfde586a26d'),(7703,'Issue',427,16,'win-proc'),(7704,'Issue',427,17,''),(7705,'Issue',427,7,''),(7706,'Issue',427,3,'Detects Archer malware invocation via rundll32'),(7707,'Issue',427,4,''),(7708,'Issue',427,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7709,'Issue',427,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,InstallArcherSvc)\nindex: so-*\nname: Fireball Archer Install\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7710,'Issue',427,9,'{{collapse(View Sigma)\n
\n\ntitle: Fireball Archer Install\nid: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d\nstatus: experimental\ndescription: Detects Archer malware invocation via rundll32\nauthor: Florian Roth\ndate: 2017/06/03\nreferences:\n- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\n- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100\ntags:\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\rundll32.exe *,InstallArcherSvc\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7711,'Issue',427,15,'T1059'),(7712,'Issue',427,15,'T1085'),(7713,'Issue',428,1,'Data Compressed - rar.exe'),(7714,'Issue',428,2,'Timur Zinniatullin, E.M. Anhaus, oscd.community'),(7715,'Issue',428,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html'),(7716,'Issue',428,10,'low'),(7717,'Issue',428,13,'community'),(7718,'Issue',428,14,'windows'),(7720,'Issue',428,11,'d76dd00e5'),(7721,'Issue',428,12,'6f3e2987-db24-4c78-a860-b4f4095a7095'),(7722,'Issue',428,16,'win-proc'),(7723,'Issue',428,17,''),(7724,'Issue',428,7,''),(7725,'Issue',428,3,'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network'),(7726,'Issue',428,4,''),(7727,'Issue',428,5,'_False Positives_\nhighly likely if rar is default archiver in the monitored environment\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7728,'Issue',428,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\rar.exe AND process.command_line.keyword:*\\ a\\ *)\nindex: so-*\nname: Data Compressed - rar.exe\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7729,'Issue',428,9,'{{collapse(View Sigma)\n
\n\ntitle: Data Compressed - rar.exe\nid: 6f3e2987-db24-4c78-a860-b4f4095a7095\nstatus: experimental\ndescription: An adversary may compress data (e.g., sensitive documents) that is collected\n  prior to exfiltration in order to make it portable and minimize the amount of data\n  sent over the network\nauthor: Timur Zinniatullin, E.M. Anhaus, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\rar.exe\n    CommandLine|contains: \' a \'\n  condition: selection\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- highly likely if rar is default archiver in the monitored environment\nlevel: low\ntags:\n- attack.exfiltration\n- attack.t1002\n\n
\n}}'),(7730,'Issue',428,15,'T1002'),(7731,'Issue',429,1,'Domain Trust Discovery'),(7732,'Issue',429,2,'Jakob Weinzettl, oscd.community'),(7733,'Issue',429,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml'),(7734,'Issue',429,10,'medium'),(7735,'Issue',429,13,'community'),(7736,'Issue',429,14,'windows'),(7738,'Issue',429,11,'16e2ea51f'),(7739,'Issue',429,12,'77815820-246c-47b8-9741-e0def3f57308'),(7740,'Issue',429,16,'win-proc'),(7741,'Issue',429,17,''),(7742,'Issue',429,7,''),(7743,'Issue',429,3,'Detects a discovery of domain trusts'),(7744,'Issue',429,4,''),(7745,'Issue',429,5,'_False Positives_\nAdministration of systems'),(7746,'Issue',429,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*\\-filter* AND process.command_line.keyword:*trustedDomain*) OR (process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7747,'Issue',429,9,'{{collapse(View Sigma)\n
\n\ntitle: Domain Trust Discovery\nid: 77815820-246c-47b8-9741-e0def3f57308\nstatus: experimental\ndescription: Detects a discovery of domain trusts\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\dsquery.exe\n    CommandLine|contains|all:\n    - -filter\n    - trustedDomain\n  - Image|endswith: \\nltest.exe\n    CommandLine|contains: domain_trusts\n  condition: selection\nfalsepositives:\n- Administration of systems\nlevel: medium\n\n
\n}}'),(7748,'Issue',429,15,'T1482'),(7749,'Issue',430,1,'Encoded FromBase64String'),(7750,'Issue',430,2,'Florian Roth'),(7751,'Issue',430,8,'none'),(7752,'Issue',430,10,'critical'),(7753,'Issue',430,13,'community'),(7754,'Issue',430,14,'windows'),(7756,'Issue',430,11,'ad3c56884'),(7757,'Issue',430,12,'fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c'),(7758,'Issue',430,16,'win-proc'),(7759,'Issue',430,17,''),(7760,'Issue',430,7,''),(7761,'Issue',430,3,'Detects a base64 encoded FromBase64String keyword in a process command line'),(7762,'Issue',430,4,''),(7763,'Issue',430,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7764,'Issue',430,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*))\nindex: so-*\nname: Encoded FromBase64String\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7765,'Issue',430,9,'{{collapse(View Sigma)\n
\n\ntitle: Encoded FromBase64String\nid: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c\nstatus: experimental\ndescription: Detects a base64 encoded FromBase64String keyword in a process command\n  line\nauthor: Florian Roth\ndate: 2019/08/24\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|base64offset|contains: ::FromBase64String\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7766,'Issue',430,15,'T1086'),(7767,'Issue',430,15,'T1140'),(7768,'Issue',431,1,'Encoded IEX'),(7769,'Issue',431,2,'Florian Roth'),(7770,'Issue',431,8,'none'),(7771,'Issue',431,10,'critical'),(7772,'Issue',431,13,'community'),(7773,'Issue',431,14,'windows'),(7775,'Issue',431,11,'111891242'),(7776,'Issue',431,12,'88f680b8-070e-402c-ae11-d2914f2257f1'),(7777,'Issue',431,16,'win-proc'),(7778,'Issue',431,17,''),(7779,'Issue',431,7,''),(7780,'Issue',431,3,'Detects a base64 encoded IEX command string in a process command line'),(7781,'Issue',431,4,''),(7782,'Issue',431,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7783,'Issue',431,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*))\nindex: so-*\nname: Encoded IEX\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7784,'Issue',431,9,'{{collapse(View Sigma)\n
\n\ntitle: Encoded IEX\nid: 88f680b8-070e-402c-ae11-d2914f2257f1\nstatus: experimental\ndescription: Detects a base64 encoded IEX command string in a process command line\nauthor: Florian Roth\ndate: 2019/08/23\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|base64offset|contains:\n    - IEX ([\n    - iex ([\n    - iex (New\n    - IEX (New\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7785,'Issue',431,15,'T1086'),(7786,'Issue',431,15,'T1140'),(7787,'Issue',432,1,'Disable of ETW Trace'),(7788,'Issue',432,2,'@neu5ron, Florian Roth'),(7789,'Issue',432,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\nhttps://abuse.io/lockergoga.txt'),(7790,'Issue',432,10,'high'),(7791,'Issue',432,13,'community'),(7792,'Issue',432,14,'windows'),(7794,'Issue',432,11,'f0cec20a1'),(7795,'Issue',432,12,'a238b5d0-ce2d-4414-a676-7a531b3d13d6'),(7796,'Issue',432,16,'win-proc'),(7797,'Issue',432,17,''),(7798,'Issue',432,7,''),(7799,'Issue',432,3,'Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.'),(7800,'Issue',432,4,''),(7801,'Issue',432,5,'_False Positives_\nUnknown'),(7802,'Issue',432,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\ cl\\ *\\/Trace* OR process.command_line.keyword:*\\ clear\\-log\\ *\\/Trace* OR process.command_line.keyword:*\\ sl*\\ \\/e\\:false* OR process.command_line.keyword:*\\ set\\-log*\\ \\/e\\:false*))\nindex: so-*\nname: Disable of ETW Trace\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7803,'Issue',432,9,'{{collapse(View Sigma)\n
\n\ntitle: Disable of ETW Trace\nid: a238b5d0-ce2d-4414-a676-7a531b3d13d6\ndescription: Detects a command that clears or disables any ETW trace log which could\n  indicate a logging evasion.\nstatus: experimental\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\n- https://abuse.io/lockergoga.txt\nauthor: \'@neu5ron, Florian Roth\'\ndate: 2019/03/22\ntags:\n- attack.execution\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_clear_1:\n    CommandLine: \'* cl */Trace*\'\n  selection_clear_2:\n    CommandLine: \'* clear-log */Trace*\'\n  selection_disable_1:\n    CommandLine: \'* sl* /e:false*\'\n  selection_disable_2:\n    CommandLine: \'* set-log* /e:false*\'\n  condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2\nfalsepositives:\n- Unknown\n\n
\n}}'),(7804,'Issue',432,15,'T1070'),(7805,'Issue',433,1,'Exfiltration and Tunneling Tools Execution'),(7806,'Issue',433,2,'Daniil Yugoslavskiy, oscd.community'),(7807,'Issue',433,8,'none'),(7808,'Issue',433,10,'medium'),(7809,'Issue',433,13,'community'),(7810,'Issue',433,14,'windows'),(7812,'Issue',433,11,'800c545f1'),(7813,'Issue',433,12,'c75309a3-59f8-4a8d-9c2c-4c927ad50555'),(7814,'Issue',433,16,'win-proc'),(7815,'Issue',433,17,''),(7816,'Issue',433,7,''),(7817,'Issue',433,3,'Execution of well known tools for data exfiltration and tunneling'),(7818,'Issue',433,4,''),(7819,'Issue',433,5,'_False Positives_\nLegitimate Administrator using tools'),(7820,'Issue',433,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\plink.exe OR *\\\\socat.exe OR *\\\\stunnel.exe OR *\\\\httptunnel.exe))\nindex: so-*\nname: Exfiltration and Tunneling Tools Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7821,'Issue',433,9,'{{collapse(View Sigma)\n
\n\ntitle: Exfiltration and Tunneling Tools Execution\nid: c75309a3-59f8-4a8d-9c2c-4c927ad50555\ndescription: Execution of well known tools for data exfiltration and tunneling\nstatus: experimental\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1020\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\plink.exe\n    - \\socat.exe\n    - \\stunnel.exe\n    - \\httptunnel.exe\n  condition: selection\nfalsepositives:\n- Legitimate Administrator using tools\nlevel: medium\n\n
\n}}'),(7822,'Issue',433,15,'T1020'),(7823,'Issue',434,1,'Exploit for CVE-2015-1641'),(7824,'Issue',434,2,'Florian Roth'),(7825,'Issue',434,8,'https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\nhttps://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100'),(7826,'Issue',434,10,'critical'),(7827,'Issue',434,13,'community'),(7828,'Issue',434,14,'windows'),(7830,'Issue',434,11,'e2a1316d4'),(7831,'Issue',434,12,'7993792c-5ce2-4475-a3db-a3a5539827ef'),(7832,'Issue',434,16,'win-proc'),(7833,'Issue',434,17,''),(7834,'Issue',434,7,''),(7835,'Issue',434,3,'Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641'),(7836,'Issue',434,4,''),(7837,'Issue',434,5,'_False Positives_\nUnknown'),(7838,'Issue',434,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\MicroScMgmt.exe\\ )\nindex: so-*\nname: Exploit for CVE-2015-1641\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7839,'Issue',434,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2015-1641\nid: 7993792c-5ce2-4475-a3db-a3a5539827ef\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process MicroScMgmt.exe as used\n  in exploits for CVE-2015-1641\nreferences:\n- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\n- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\MicroScMgmt.exe \'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7840,'Issue',434,15,'T1036'),(7841,'Issue',435,1,'Exploit for CVE-2017-0261'),(7842,'Issue',435,2,'Florian Roth'),(7843,'Issue',435,8,'https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html'),(7844,'Issue',435,10,'medium'),(7845,'Issue',435,13,'community'),(7846,'Issue',435,14,'windows'),(7848,'Issue',435,11,'65dbae284'),(7849,'Issue',435,12,'864403a1-36c9-40a2-a982-4c9a45f7d833'),(7850,'Issue',435,16,'win-proc'),(7851,'Issue',435,17,''),(7852,'Issue',435,7,''),(7853,'Issue',435,3,'Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262'),(7854,'Issue',435,4,''),(7855,'Issue',435,5,'_False Positives_\nSeveral false positives identified, check for suspicious file names or locations (e.g. Temp folders)'),(7856,'Issue',435,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\FLTLDR.exe*)\nindex: so-*\nname: Exploit for CVE-2017-0261\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7857,'Issue',435,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n  for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\FLTLDR.exe*\'\n  condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n  (e.g. Temp folders)\nlevel: medium\n\n
\n}}'),(7858,'Issue',435,15,'T1055'),(7859,'Issue',436,1,'Droppers Exploiting CVE-2017-11882'),(7860,'Issue',436,2,'Florian Roth'),(7861,'Issue',436,8,'https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\nhttps://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw'),(7862,'Issue',436,10,'critical'),(7863,'Issue',436,13,'community'),(7864,'Issue',436,14,'windows'),(7866,'Issue',436,11,'dcfdfd6d6'),(7867,'Issue',436,12,'678eb5f4-8597-4be6-8be7-905e4234b53a'),(7868,'Issue',436,16,'win-proc'),(7869,'Issue',436,17,''),(7870,'Issue',436,7,''),(7871,'Issue',436,3,'Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe'),(7872,'Issue',436,4,''),(7873,'Issue',436,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine'),(7874,'Issue',436,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EQNEDT32.EXE)\nindex: so-*\nname: Droppers Exploiting CVE-2017-11882\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7875,'Issue',436,9,'{{collapse(View Sigma)\n
\n\ntitle: Droppers Exploiting CVE-2017-11882\nid: 678eb5f4-8597-4be6-8be7-905e4234b53a\nstatus: experimental\ndescription: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other\n  sub processes like mshta.exe\nreferences:\n- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\n- https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw\nauthor: Florian Roth\ndate: 2017/11/23\ntags:\n- attack.defense_evasion\n- attack.t1211\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\EQNEDT32.EXE\'\n  condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7876,'Issue',436,15,'T1211'),(7877,'Issue',437,1,'Exploit for CVE-2017-8759'),(7878,'Issue',437,2,'Florian Roth'),(7879,'Issue',437,8,'https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\nhttps://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100'),(7880,'Issue',437,10,'critical'),(7881,'Issue',437,13,'community'),(7882,'Issue',437,14,'windows'),(7884,'Issue',437,11,'d2eddb460'),(7885,'Issue',437,12,'fdd84c68-a1f6-47c9-9477-920584f94905'),(7886,'Issue',437,16,'win-proc'),(7887,'Issue',437,17,''),(7888,'Issue',437,7,''),(7889,'Issue',437,3,'Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759'),(7890,'Issue',437,4,''),(7891,'Issue',437,5,'_False Positives_\nUnknown'),(7892,'Issue',437,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\csc.exe)\nindex: so-*\nname: Exploit for CVE-2017-8759\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7893,'Issue',437,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploit for CVE-2017-8759\nid: fdd84c68-a1f6-47c9-9477-920584f94905\ndescription: Detects Winword starting uncommon sub process csc.exe as used in exploits\n  for CVE-2017-8759\nreferences:\n- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\n- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\ntags:\n- attack.execution\n- attack.t1203\nauthor: Florian Roth\ndate: 2017/09/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\WINWORD.EXE\'\n    Image: \'*\\csc.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7894,'Issue',437,15,'T1203'),(7895,'Issue',438,1,'Exploiting SetupComplete.cmd CVE-2019-1378'),(7896,'Issue',438,2,'Florian Roth'),(7897,'Issue',438,8,'https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua'),(7898,'Issue',438,10,'high'),(7899,'Issue',438,13,'community'),(7900,'Issue',438,14,'windows'),(7902,'Issue',438,11,'b2c8941b7'),(7903,'Issue',438,12,'1c373b6d-76ce-4553-997d-8c1da9a6b5f5'),(7904,'Issue',438,16,'win-proc'),(7905,'Issue',438,17,''),(7906,'Issue',438,7,''),(7907,'Issue',438,3,'Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378'),(7908,'Issue',438,4,''),(7909,'Issue',438,5,'_False Positives_\nUnknown'),(7910,'Issue',438,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(*\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd OR *\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR C\\:\\\\Windows\\\\Setup\\\\*))))\nindex: so-*\nname: Exploiting SetupComplete.cmd CVE-2019-1378\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7911,'Issue',438,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploiting SetupComplete.cmd CVE-2019-1378\nid: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5\nstatus: experimental\ndescription: Detects exploitation attempt of privilege escalation vulnerability via\n  SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378\nreferences:\n- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua\nauthor: Florian Roth\ndate: 2019/11/15\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentCommandLine:\n    - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd\'\n    - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n    - C:\\Windows\\Setup\\\\*\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7912,'Issue',438,15,'T1055'),(7913,'Issue',439,1,'Exploiting CVE-2019-1388'),(7914,'Issue',439,2,'Florian Roth'),(7915,'Issue',439,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\nhttps://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege'),(7916,'Issue',439,10,'critical'),(7917,'Issue',439,13,'community'),(7918,'Issue',439,14,'windows'),(7920,'Issue',439,11,'c6eb81dae'),(7921,'Issue',439,12,'02e0b2ea-a597-428e-b04a-af6a1a403e5c'),(7922,'Issue',439,16,'win-proc'),(7923,'Issue',439,17,''),(7924,'Issue',439,7,''),(7925,'Issue',439,3,'Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM'),(7926,'Issue',439,4,''),(7927,'Issue',439,5,'_False Positives_\nUnknown'),(7928,'Issue',439,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\consent.exe AND process.executable.keyword:*\\\\iexplore.exe AND process.command_line.keyword:*\\ http* AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (IntegrityLevel:\"System\" OR event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\"))\nindex: so-*\nname: Exploiting CVE-2019-1388\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7929,'Issue',439,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploiting CVE-2019-1388\nid: 02e0b2ea-a597-428e-b04a-af6a1a403e5c\nstatus: experimental\ndescription: Detects an explotation attempt in which the UAC consent dialogue is used\n  to invoke an Internet Explorer process running as LOCAL_SYSTEM\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\n- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege\nauthor: Florian Roth\ndate: 2019/11/20\ntags:\n- attack.privilege_escalation\n- attack.t1068\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\consent.exe\'\n    Image: \'*\\iexplore.exe\'\n    CommandLine: \'* http*\'\n  rights1:\n    IntegrityLevel: System\n  rights2:\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and ( rights1 or rights2 )\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7930,'Issue',439,15,'T1068'),(7931,'Issue',440,1,'Exploited CVE-2020-10189 Zoho ManageEngine'),(7932,'Issue',440,2,'Florian Roth'),(7933,'Issue',440,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10189\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\nhttps://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224'),(7934,'Issue',440,10,'critical'),(7935,'Issue',440,13,'community'),(7936,'Issue',440,14,'windows'),(7938,'Issue',440,11,'06cab2646'),(7939,'Issue',440,12,'846b866e-2a57-46ee-8e16-85fa92759be7'),(7940,'Issue',440,16,'win-proc'),(7941,'Issue',440,17,''),(7942,'Issue',440,7,''),(7943,'Issue',440,3,'Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189'),(7944,'Issue',440,4,''),(7945,'Issue',440,5,'_False Positives_\nUnknown'),(7946,'Issue',440,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Exploited CVE-2020-10189 Zoho ManageEngine\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7947,'Issue',440,9,'{{collapse(View Sigma)\n
\n\ntitle: Exploited CVE-2020-10189 Zoho ManageEngine\nid: 846b866e-2a57-46ee-8e16-85fa92759be7\nstatus: experimental\ndescription: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization\n  vulnerability reported as CVE-2020-10189\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n- https://nvd.nist.gov/vuln/detail/CVE-2020-10189\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\n- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.initial_access\n- attack.t1190\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: DesktopCentral_Server\\jre\\bin\\java.exe\n    Image|endswith:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\bitsadmin.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7948,'Issue',440,15,'T1190'),(7949,'Issue',441,1,'File or Folder Permissions Modifications'),(7950,'Issue',441,2,'Jakob Weinzettl, oscd.community'),(7951,'Issue',441,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml'),(7952,'Issue',441,10,'medium'),(7953,'Issue',441,13,'community'),(7954,'Issue',441,14,'windows'),(7956,'Issue',441,11,'1c2d67989'),(7957,'Issue',441,12,'37ae075c-271b-459b-8d7b-55ad5f993dd8'),(7958,'Issue',441,16,'win-proc'),(7959,'Issue',441,17,''),(7960,'Issue',441,7,''),(7961,'Issue',441,3,'Detects a file or folder permissions modifications'),(7962,'Issue',441,4,''),(7963,'Issue',441,5,'_False Positives_\nUsers interacting with the files on their own (unlikely unless power users)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7964,'Issue',441,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\takeown.exe OR *\\\\cacls.exe OR *\\\\icacls.exe) AND process.command_line.keyword:*\\/grant*) OR (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\-r*)))\nindex: so-*\nname: File or Folder Permissions Modifications\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7965,'Issue',441,9,'{{collapse(View Sigma)\n
\n\ntitle: File or Folder Permissions Modifications\nid: 37ae075c-271b-459b-8d7b-55ad5f993dd8\nstatus: experimental\ndescription: Detects a file or folder permissions modifications\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1222\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\takeown.exe\n    - \\cacls.exe\n    - \\icacls.exe\n    CommandLine|contains: /grant\n  - Image|endswith: \\attrib.exe\n    CommandLine|contains: -r\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Users interacting with the files on their own (unlikely unless power users)\nlevel: medium\n\n
\n}}'),(7966,'Issue',441,15,'T1222'),(7967,'Issue',442,1,'Grabbing Sensitive Hives via Reg Utility'),(7968,'Issue',442,2,'Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community'),(7969,'Issue',442,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md'),(7970,'Issue',442,10,'medium'),(7971,'Issue',442,13,'community'),(7972,'Issue',442,14,'windows'),(7974,'Issue',442,11,'310cc8a8a'),(7975,'Issue',442,12,'fd877b94-9bb5-4191-bb25-d79cbd93c167'),(7976,'Issue',442,16,'win-proc'),(7977,'Issue',442,17,''),(7978,'Issue',442,7,''),(7979,'Issue',442,3,'Dump sam, system or security hives using REG.exe utility'),(7980,'Issue',442,4,''),(7981,'Issue',442,5,'_False Positives_\nDumping hives for legitimate purpouse i.e. backup or forensic investigation'),(7982,'Issue',442,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\reg.exe AND process.command_line.keyword:(*save* OR *export*) AND process.command_line.keyword:(*hklm* OR *hkey_local_machine*) AND process.command_line.keyword:(*\\\\system OR *\\\\sam OR *\\\\security))\nindex: so-*\nname: Grabbing Sensitive Hives via Reg Utility\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(7983,'Issue',442,9,'{{collapse(View Sigma)\n
\n\ntitle: Grabbing Sensitive Hives via Reg Utility\nid: fd877b94-9bb5-4191-bb25-d79cbd93c167\ndescription: Dump sam, system or security hives using REG.exe utility\nauthor: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    NewProcessName: \'*\\reg.exe\'\n    CommandLine|contains:\n    - save\n    - export\n  selection_2:\n    CommandLine|contains:\n    - hklm\n    - hkey_local_machine\n  selection_3:\n    CommandLine|endswith:\n    - \\system\n    - \\sam\n    - \\security\n  condition: selection_1 and selection_2 and selection_3\nfalsepositives:\n- Dumping hives for legitimate purpouse i.e. backup or forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(7984,'Issue',442,15,'T1003'),(7985,'Issue',443,1,'Bloodhound and Sharphound Hack Tool'),(7986,'Issue',443,2,'Florian Roth'),(7987,'Issue',443,8,'https://github.com/BloodHoundAD/BloodHound\nhttps://github.com/BloodHoundAD/SharpHound'),(7988,'Issue',443,10,'high'),(7989,'Issue',443,13,'community'),(7990,'Issue',443,14,'windows'),(7992,'Issue',443,11,'6b42c6f56'),(7993,'Issue',443,12,'f376c8a7-a2d0-4ddc-aa0c-16c17236d962'),(7994,'Issue',443,16,'win-proc'),(7995,'Issue',443,17,''),(7996,'Issue',443,7,''),(7997,'Issue',443,3,'Detects command line parameters used by Bloodhound and Sharphound hack tools'),(7998,'Issue',443,4,''),(7999,'Issue',443,5,'_False Positives_\nOther programs that use these command line option and accepts an \'All\' parameter'),(8000,'Issue',443,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\Bloodhound.exe* OR *\\\\SharpHound.exe*) OR process.command_line.keyword:(*\\ \\-CollectionMethod\\ All\\ * OR *.exe\\ \\-c\\ All\\ \\-d\\ * OR *Invoke\\-Bloodhound* OR *Get\\-BloodHoundData*) OR (process.command_line.keyword:*\\ \\-JsonFolder\\ * AND process.command_line.keyword:*\\ \\-ZipFileName\\ *) OR (process.command_line.keyword:*\\ DCOnly\\ * AND process.command_line.keyword:*\\ \\-\\-NoSaveCache\\ *)))\nindex: so-*\nname: Bloodhound and Sharphound Hack Tool\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8001,'Issue',443,9,'{{collapse(View Sigma)\n
\n\ntitle: Bloodhound and Sharphound Hack Tool\nid: f376c8a7-a2d0-4ddc-aa0c-16c17236d962\ndescription: Detects command line parameters used by Bloodhound and Sharphound hack\n  tools\nauthor: Florian Roth\nreferences:\n- https://github.com/BloodHoundAD/BloodHound\n- https://github.com/BloodHoundAD/SharpHound\ndate: 2019/12/20\nmodified: 2019/12/21\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image|contains:\n    - \\Bloodhound.exe\n    - \\SharpHound.exe\n  selection2:\n    CommandLine|contains:\n    - \' -CollectionMethod All \'\n    - \'.exe -c All -d \'\n    - Invoke-Bloodhound\n    - Get-BloodHoundData\n  selection3:\n    CommandLine|contains|all:\n    - \' -JsonFolder \'\n    - \' -ZipFileName \'\n  selection4:\n    CommandLine|contains|all:\n    - \' DCOnly \'\n    - \' --NoSaveCache \'\n  condition: 1 of them\nfalsepositives:\n- Other programs that use these command line option and accepts an \'All\' parameter\nlevel: high\n\n
\n}}'),(8002,'Issue',443,15,'T1087'),(8003,'Issue',444,1,'Koadic Execution'),(8004,'Issue',444,2,'wagga'),(8005,'Issue',444,8,'https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\nhttps://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\nhttps://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/'),(8006,'Issue',444,10,'high'),(8007,'Issue',444,13,'community'),(8008,'Issue',444,14,'windows'),(8010,'Issue',444,11,'fa9937192'),(8011,'Issue',444,12,'5cddf373-ef00-4112-ad72-960ac29bac34'),(8012,'Issue',444,16,'win-proc'),(8013,'Issue',444,17,''),(8014,'Issue',444,7,''),(8015,'Issue',444,3,'Detects command line parameters used by Koadic hack tool'),(8016,'Issue',444,4,''),(8017,'Issue',444,5,'_False Positives_\nPentest\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8018,'Issue',444,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*cmd.exe*\\ \\/q\\ \\/c\\ chcp\\ *))\nindex: so-*\nname: Koadic Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8019,'Issue',444,9,'{{collapse(View Sigma)\n
\n\ntitle: Koadic Execution\nid: 5cddf373-ef00-4112-ad72-960ac29bac34\nstatus: experimental\ndescription: Detects command line parameters used by Koadic hack tool\nreferences:\n- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\n- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\n- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/\ntags:\n- attack.execution\n- attack.t1170\ndate: 2020/01/12\nauthor: wagga\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*cmd.exe* /q /c chcp *\'\n  condition: selection1\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(8020,'Issue',444,15,'T1170'),(8021,'Issue',445,1,'Rubeus Hack Tool'),(8022,'Issue',445,2,'Florian Roth'),(8023,'Issue',445,8,'https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/'),(8024,'Issue',445,10,'critical'),(8025,'Issue',445,13,'community'),(8026,'Issue',445,14,'windows'),(8028,'Issue',445,11,'ad40ec27e'),(8029,'Issue',445,12,'7ec2c172-dceb-4c10-92c9-87c1881b7e18'),(8030,'Issue',445,16,'win-proc'),(8031,'Issue',445,17,''),(8032,'Issue',445,7,''),(8033,'Issue',445,3,'Detects command line parameters used by Rubeus hack tool'),(8034,'Issue',445,4,''),(8035,'Issue',445,5,'_False Positives_\nunlikely'),(8036,'Issue',445,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ asreproast\\ * OR *\\ dump\\ \\/service\\:krbtgt\\ * OR *\\ kerberoast\\ * OR *\\ createnetonly\\ \\/program\\:* OR *\\ ptt\\ \\/ticket\\:* OR *\\ \\/impersonateuser\\:* OR *\\ renew\\ \\/ticket\\:* OR *\\ asktgt\\ \\/user\\:* OR *\\ harvest\\ \\/interval\\:*))\nindex: so-*\nname: Rubeus Hack Tool\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8037,'Issue',445,9,'{{collapse(View Sigma)\n
\n\ntitle: Rubeus Hack Tool\nid: 7ec2c172-dceb-4c10-92c9-87c1881b7e18\ndescription: Detects command line parameters used by Rubeus hack tool\nauthor: Florian Roth\nreferences:\n- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* asreproast *\'\n    - \'* dump /service:krbtgt *\'\n    - \'* kerberoast *\'\n    - \'* createnetonly /program:*\'\n    - \'* ptt /ticket:*\'\n    - \'* /impersonateuser:*\'\n    - \'* renew /ticket:*\'\n    - \'* asktgt /user:*\'\n    - \'* harvest /interval:*\'\n  condition: selection\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8038,'Issue',445,15,'T1003'),(8039,'Issue',446,1,'SecurityXploded Tool'),(8040,'Issue',446,2,'Florian Roth'),(8041,'Issue',446,8,'https://securityxploded.com/\nhttps://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/'),(8042,'Issue',446,10,'critical'),(8043,'Issue',446,13,'community'),(8044,'Issue',446,14,'windows'),(8046,'Issue',446,11,'21368bb4b'),(8047,'Issue',446,12,'7679d464-4f74-45e2-9e01-ac66c5eb041a'),(8048,'Issue',446,16,'win-proc'),(8049,'Issue',446,17,''),(8050,'Issue',446,7,''),(8051,'Issue',446,3,'Detects the execution of SecurityXploded Tools'),(8052,'Issue',446,4,''),(8053,'Issue',446,5,'_False Positives_\nunlikely'),(8054,'Issue',446,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (event_data.Company:\"SecurityXploded\" OR process.executable.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe))\nindex: so-*\nname: SecurityXploded Tool\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8055,'Issue',446,9,'{{collapse(View Sigma)\n
\n\ntitle: SecurityXploded Tool\nid: 7679d464-4f74-45e2-9e01-ac66c5eb041a\ndescription: Detects the execution of SecurityXploded Tools\nauthor: Florian Roth\nreferences:\n- https://securityxploded.com/\n- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Company: SecurityXploded\n  selection2:\n    Image|endswith: PasswordDump.exe\n  selection3:\n    OriginalFilename|endswith: PasswordDump.exe\n  condition: 1 of them\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8056,'Issue',446,15,'T1003'),(8057,'Issue',447,1,'HH.exe Execution'),(8058,'Issue',447,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community'),(8059,'Issue',447,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html'),(8060,'Issue',447,10,'high'),(8061,'Issue',447,13,'community'),(8062,'Issue',447,14,'windows'),(8064,'Issue',447,11,'0cb0c3bd8'),(8065,'Issue',447,12,'68c8acb4-1b60-4890-8e82-3ddf7a6dba84'),(8066,'Issue',447,16,'win-proc'),(8067,'Issue',447,17,''),(8068,'Issue',447,7,''),(8069,'Issue',447,3,'Identifies usage of hh.exe executing recently modified .chm files.'),(8070,'Issue',447,4,''),(8071,'Issue',447,5,'_False Positives_\nunlike\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8072,'Issue',447,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\hh.exe AND process.command_line.keyword:*.chm*)\nindex: so-*\nname: HH.exe Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8073,'Issue',447,9,'{{collapse(View Sigma)\n
\n\ntitle: HH.exe Execution\nid: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84\ndescription: Identifies usage of hh.exe executing recently modified .chm files.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1223\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\hh.exe\n    CommandLine|contains: .chm\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- unlike\nlevel: high\n\n
\n}}'),(8074,'Issue',447,15,'T1223'),(8075,'Issue',448,1,'HTML Help Shell Spawn'),(8076,'Issue',448,2,'Maxim Pavlunin'),(8077,'Issue',448,8,'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/'),(8078,'Issue',448,10,'high'),(8079,'Issue',448,13,'community'),(8080,'Issue',448,14,'windows'),(8082,'Issue',448,11,'6ba3a1ad3'),(8083,'Issue',448,12,'52cad028-0ff0-4854-8f67-d25dfcbc78b4'),(8084,'Issue',448,16,'win-proc'),(8085,'Issue',448,17,''),(8086,'Issue',448,7,''),(8087,'Issue',448,3,'Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)'),(8088,'Issue',448,4,''),(8089,'Issue',448,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8090,'Issue',448,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable:\"C\\:\\\\Windows\\\\hh.exe\" AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))\nindex: so-*\nname: HTML Help Shell Spawn\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8091,'Issue',448,9,'{{collapse(View Sigma)\n
\n\ntitle: HTML Help Shell Spawn\nid: 52cad028-0ff0-4854-8f67-d25dfcbc78b4\nstatus: experimental\ndescription: Detects a suspicious child process of a Microsoft HTML Help system when\n  executing compiled HTML files (.chm)\nreferences:\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/\nauthor: Maxim Pavlunin\ndate: 2020/04/01\nmodified: 2020/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1223\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: C:\\Windows\\hh.exe\n    Image|endswith:\n    - \\cmd.exe\n    - \\powershell.exe\n    - \\wscript.exe\n    - \\cscript.exe\n    - \\regsvr32.exe\n    - \\wmic.exe\n    - \\rundll32.exe\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8092,'Issue',448,15,'T1223'),(8093,'Issue',449,1,'Suspicious HWP Sub Processes'),(8094,'Issue',449,2,'Florian Roth'),(8095,'Issue',449,8,'https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\nhttps://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\nhttps://twitter.com/cyberwar_15/status/1187287262054076416\nhttps://blog.alyac.co.kr/1901\nhttps://en.wikipedia.org/wiki/Hangul_(word_processor)'),(8096,'Issue',449,10,'high'),(8097,'Issue',449,13,'community'),(8098,'Issue',449,14,'windows'),(8100,'Issue',449,11,'45f9c4d54'),(8101,'Issue',449,12,'023394c4-29d5-46ab-92b8-6a534c6f447b'),(8102,'Issue',449,16,'win-proc'),(8103,'Issue',449,17,''),(8104,'Issue',449,7,''),(8105,'Issue',449,3,'Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation'),(8106,'Issue',449,4,''),(8107,'Issue',449,5,'_False Positives_\nUnknown'),(8108,'Issue',449,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\Hwp.exe AND process.executable.keyword:*\\\\gbb.exe)\nindex: so-*\nname: Suspicious HWP Sub Processes\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8109,'Issue',449,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious HWP Sub Processes\nid: 023394c4-29d5-46ab-92b8-6a534c6f447b\ndescription: Detects suspicious Hangul Word Processor (Hanword) sub processes that\n  could indicate an exploitation\nstatus: experimental\nreferences:\n- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\n- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\n- https://twitter.com/cyberwar_15/status/1187287262054076416\n- https://blog.alyac.co.kr/1901\n- https://en.wikipedia.org/wiki/Hangul_(word_processor)\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.initial_access\n- attack.t1059\n- attack.t1202\n- attack.t1193\n- attack.g0032\nauthor: Florian Roth\ndate: 2019/10/24\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\Hwp.exe\'\n    Image: \'*\\gbb.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8110,'Issue',449,15,'T1059'),(8111,'Issue',449,15,'T1202'),(8112,'Issue',449,15,'T1193'),(8113,'Issue',450,1,'Impacket Lateralization Detection'),(8114,'Issue',450,2,'Ecco'),(8115,'Issue',450,8,'https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py'),(8116,'Issue',450,10,'critical'),(8117,'Issue',450,13,'community'),(8118,'Issue',450,14,'windows'),(8120,'Issue',450,11,'bfb0c817e'),(8121,'Issue',450,12,'10c14723-61c7-4c75-92ca-9af245723ad2'),(8122,'Issue',450,16,'win-proc'),(8123,'Issue',450,17,''),(8124,'Issue',450,7,''),(8125,'Issue',450,3,'Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework'),(8126,'Issue',450,4,''),(8127,'Issue',450,5,'_False Positives_\npentesters\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8128,'Issue',450,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\mmc.exe OR *\\\\explorer.exe OR *\\\\services.exe) AND process.command_line.keyword:(*cmd.exe*\\ \\/Q\\ \\/c\\ *\\ \\\\\\\\127.0.0.1\\\\*&1*)) OR (process.parent.command_line.keyword:(*svchost.exe\\ \\-k\\ netsvcs OR taskeng.exe*) AND process.command_line.keyword:(cmd.exe\\ \\/C\\ *Windows\\\\Temp\\\\*&1))))\nindex: so-*\nname: Impacket Lateralization Detection\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8129,'Issue',450,9,'{{collapse(View Sigma)\n
\n\ntitle: Impacket Lateralization Detection\nid: 10c14723-61c7-4c75-92ca-9af245723ad2\nstatus: experimental\ndescription: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework\nreferences:\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py\nauthor: Ecco\ndate: 2019/09/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_other:\n    ParentImage:\n    - \'*\\wmiprvse.exe\'\n    - \'*\\mmc.exe\'\n    - \'*\\explorer.exe\'\n    - \'*\\services.exe\'\n    CommandLine:\n    - \'*cmd.exe* /Q /c * \\\\\\\\127.0.0.1\\\\*&1*\'\n  selection_atexec:\n    ParentCommandLine:\n    - \'*svchost.exe -k netsvcs\'\n    - taskeng.exe*\n    CommandLine:\n    - cmd.exe /C *Windows\\\\Temp\\\\*&1\n  condition: (1 of selection_*)\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.lateral_movement\n- attack.t1047\n- attack.t1175\nfalsepositives:\n- pentesters\nlevel: critical\n\n
\n}}'),(8130,'Issue',450,15,'T1047'),(8131,'Issue',450,15,'T1175'),(8132,'Issue',451,1,'Indirect Command Execution'),(8133,'Issue',451,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8134,'Issue',451,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html'),(8135,'Issue',451,10,'low'),(8136,'Issue',451,13,'community'),(8137,'Issue',451,14,'windows'),(8139,'Issue',451,11,'4448f85f5'),(8140,'Issue',451,12,'fa47597e-90e9-41cd-ab72-c3b74cfb0d02'),(8141,'Issue',451,16,'win-proc'),(8142,'Issue',451,17,''),(8143,'Issue',451,7,''),(8144,'Issue',451,3,'Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe'),(8145,'Issue',451,4,''),(8146,'Issue',451,5,'_False Positives_\nNeed to use extra processing with \'unique_count\' / \'filter\' to focus on outliers as opposed to commonly seen artifacts\nLegit usage of scripts\n\n_Interesting Log Fields_\nComputerName\nUser\nParentCommandLine\nCommandLine'),(8147,'Issue',451,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\pcalua.exe OR *\\\\forfiles.exe))\nindex: so-*\nname: Indirect Command Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8148,'Issue',451,9,'{{collapse(View Sigma)\n
\n\ntitle: Indirect Command Execution\nid: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\ndescription: Detect indirect command execution via Program Compatibility Assistant\n  pcalua.exe or forfiles.exe\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1202\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\pcalua.exe\n    - \\forfiles.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- ParentCommandLine\n- CommandLine\nfalsepositives:\n- Need to use extra processing with \'unique_count\' / \'filter\' to focus on outliers\n  as opposed to commonly seen artifacts\n- Legit usage of scripts\nlevel: low\n\n
\n}}'),(8149,'Issue',451,15,'T1202'),(8150,'Issue',452,1,'Suspicious Debugger Registration Cmdline'),(8151,'Issue',452,2,'Florian Roth'),(8152,'Issue',452,8,'https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/'),(8153,'Issue',452,10,'high'),(8154,'Issue',452,13,'community'),(8155,'Issue',452,14,'windows'),(8157,'Issue',452,11,'8447d556d'),(8158,'Issue',452,12,'ae215552-081e-44c7-805f-be16f975c8a2'),(8159,'Issue',452,16,'win-proc'),(8160,'Issue',452,17,''),(8161,'Issue',452,7,''),(8162,'Issue',452,3,'Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).'),(8163,'Issue',452,4,''),(8164,'Issue',452,5,'_False Positives_\nPenetration Tests'),(8165,'Issue',452,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\magnify.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\narrator.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\displayswitch.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\atbroker.exe*))\nindex: so-*\nname: Suspicious Debugger Registration Cmdline\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8166,'Issue',452,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Debugger Registration Cmdline\nid: ae215552-081e-44c7-805f-be16f975c8a2\nstatus: experimental\ndescription: Detects the registration of a debugger for a program that is available\n  in the logon screen (sticky key backdoor).\nreferences:\n- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1015\nauthor: Florian Roth\ndate: 2019/09/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\CurrentVersion\\Image File Execution Options\\sethc.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\utilman.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\osk.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\magnify.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\narrator.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*\'\n    - \'*\\CurrentVersion\\Image File Execution Options\\atbroker.exe*\'\n  condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(8167,'Issue',452,15,'T1015'),(8168,'Issue',453,1,'Interactive AT Job'),(8169,'Issue',453,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8170,'Issue',453,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html'),(8171,'Issue',453,10,'high'),(8172,'Issue',453,13,'community'),(8173,'Issue',453,14,'windows'),(8175,'Issue',453,11,'deff452c1'),(8176,'Issue',453,12,'60fc936d-2eb0-4543-8a13-911c750a1dfc'),(8177,'Issue',453,16,'win-proc'),(8178,'Issue',453,17,''),(8179,'Issue',453,7,''),(8180,'Issue',453,3,'Detect an interactive AT job, which may be used as a form of privilege escalation'),(8181,'Issue',453,4,''),(8182,'Issue',453,5,'_False Positives_\nUnlikely (at.exe deprecated as of Windows 8)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8183,'Issue',453,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\at.exe AND process.command_line.keyword:*interactive*)\nindex: so-*\nname: Interactive AT Job\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8184,'Issue',453,9,'{{collapse(View Sigma)\n
\n\ntitle: Interactive AT Job\nid: 60fc936d-2eb0-4543-8a13-911c750a1dfc\ndescription: Detect an interactive AT job, which may be used as a form of privilege\n  escalation\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.privilege_escalation\n- attack.t1053\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\at.exe\n    CommandLine|contains: interactive\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely (at.exe deprecated as of Windows 8)\nlevel: high\n\n
\n}}'),(8185,'Issue',453,15,'T1053'),(8186,'Issue',454,1,'Invoke-Obfuscation Obfuscated IEX Invocation'),(8187,'Issue',454,2,'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'),(8188,'Issue',454,8,'none'),(8189,'Issue',454,10,'high'),(8190,'Issue',454,13,'community'),(8191,'Issue',454,14,'windows'),(8193,'Issue',454,11,'6d2baff57'),(8194,'Issue',454,12,'4bf943c6-5146-4273-98dd-e958fd1e3abf'),(8195,'Issue',454,16,'win-proc'),(8196,'Issue',454,17,''),(8197,'Issue',454,7,''),(8198,'Issue',454,3,'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888'),(8199,'Issue',454,4,''),(8200,'Issue',454,5,'_False Positives_\nUnknown'),(8201,'Issue',454,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (process.command_line:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR process.command_line:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR process.command_line:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR process.command_line:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR process.command_line:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR process.command_line:/\\$VerbosePreference\\.ToString\\(/ OR process.command_line:/\\String\\]\\s*\\$VerbosePreference/)\nindex: so-*\nname: Invoke-Obfuscation Obfuscated IEX Invocation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8202,'Issue',454,9,'{{collapse(View Sigma)\n
\n\ntitle: Invoke-Obfuscation Obfuscated IEX Invocation\nid: 4bf943c6-5146-4273-98dd-e958fd1e3abf\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated\n  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888\nstatus: experimental\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1027\nlogsource:\n  product: windows\n  service: process_creation\ndetection:\n  selection:\n  - CommandLine|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n  - CommandLine|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n  - CommandLine|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n  - CommandLine|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n  - CommandLine|re: \\*mdr\\*\\W\\s*\\)\\.Name\n  - CommandLine|re: \\$VerbosePreference\\.ToString\\(\n  - CommandLine|re: \\String\\]\\s*\\$VerbosePreference\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8203,'Issue',454,15,'T1027'),(8204,'Issue',455,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing'),(8205,'Issue',455,2,'Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)'),(8206,'Issue',455,8,'https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(8207,'Issue',455,10,'critical'),(8208,'Issue',455,13,'community'),(8209,'Issue',455,14,'windows'),(8211,'Issue',455,11,'1425eee14'),(8212,'Issue',455,12,'8065b1b4-1778-4427-877f-6bf948b26d38'),(8213,'Issue',455,16,'win-proc'),(8214,'Issue',455,17,''),(8215,'Issue',455,7,''),(8216,'Issue',455,3,'Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level'),(8217,'Issue',455,4,''),(8218,'Issue',455,5,'_False Positives_\nUnknown'),(8219,'Issue',455,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ParentIntegrityLevel:\"Medium\" AND IntegrityLevel:\"System\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")\nindex: so-*\nname: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8220,'Issue',455,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\nid: 8065b1b4-1778-4427-877f-6bf948b26d38\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n  with non-SYSTEM privileges and Medium integrity level\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\ntags:\n- attack.privilege_escalation\n- attack.t1068\nstatus: experimental\nauthor: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)\ndate: 2019/06/03\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentIntegrityLevel: Medium\n    IntegrityLevel: System\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8221,'Issue',455,15,'T1068'),(8222,'Issue',456,1,'MSHTA Spwaned by SVCHOST'),(8223,'Issue',456,2,'Markus Neis'),(8224,'Issue',456,8,'https://codewhitesec.blogspot.com/2018/07/lethalhta.html'),(8225,'Issue',456,10,'high'),(8226,'Issue',456,13,'community'),(8227,'Issue',456,14,'windows'),(8229,'Issue',456,11,'f443dd9d3'),(8230,'Issue',456,12,'ed5d72a6-f8f4-479d-ba79-02f6a80d7471'),(8231,'Issue',456,16,'win-proc'),(8232,'Issue',456,17,''),(8233,'Issue',456,7,''),(8234,'Issue',456,3,'Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report'),(8235,'Issue',456,4,''),(8236,'Issue',456,5,'_False Positives_\nUnknown'),(8237,'Issue',456,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\svchost.exe AND process.executable.keyword:*\\\\mshta.exe)\nindex: so-*\nname: MSHTA Spwaned by SVCHOST\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8238,'Issue',456,9,'{{collapse(View Sigma)\n
\n\ntitle: MSHTA Spwaned by SVCHOST\nid: ed5d72a6-f8f4-479d-ba79-02f6a80d7471\nstatus: experimental\ndescription: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described\n  in report\nreferences:\n- https://codewhitesec.blogspot.com/2018/07/lethalhta.html\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\nauthor: Markus Neis\ndate: 2018/06/07\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\svchost.exe\'\n    Image: \'*\\mshta.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8239,'Issue',456,15,'T1170'),(8240,'Issue',457,1,'Local Accounts Discovery'),(8241,'Issue',457,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8242,'Issue',457,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml'),(8243,'Issue',457,10,'low'),(8244,'Issue',457,13,'community'),(8245,'Issue',457,14,'windows'),(8247,'Issue',457,11,'94d1a7cce'),(8248,'Issue',457,12,'502b42de-4306-40b4-9596-6f590c81f073'),(8249,'Issue',457,16,'win-proc'),(8250,'Issue',457,17,''),(8251,'Issue',457,7,''),(8252,'Issue',457,3,'Local accounts, System Owner/User discovery using operating systems utilities'),(8253,'Issue',457,4,''),(8254,'Issue',457,5,'_False Positives_\nLegitimate administrator or user enumerates local users for legitimate reason\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8255,'Issue',457,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((process.executable.keyword:*\\\\whoami.exe OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*useraccount* AND process.command_line.keyword:*get*) OR process.executable.keyword:(*\\\\quser.exe OR *\\\\qwinsta.exe) OR (process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\/list*) OR (process.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*dir\\ * AND process.command_line.keyword:*\\\\Users\\*)) AND (NOT (process.command_line.keyword:(*\\ rmdir\\ *)))) OR ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user*) AND (NOT (process.command_line.keyword:(*\\/domain* OR *\\/add* OR *\\/delete* OR *\\/active* OR *\\/expires* OR *\\/passwordreq* OR *\\/scriptpath* OR *\\/times* OR *\\/workstations*))))))\nindex: so-*\nname: Local Accounts Discovery\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8256,'Issue',457,9,'{{collapse(View Sigma)\n
\n\ntitle: Local Accounts Discovery\nid: 502b42de-4306-40b4-9596-6f590c81f073\nstatus: experimental\ndescription: Local accounts, System Owner/User discovery using operating systems utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n  - Image|endswith: \\whoami.exe\n  - Image|endswith: \\wmic.exe\n    CommandLine|contains|all:\n    - useraccount\n    - get\n  - Image|endswith:\n    - \\quser.exe\n    - \\qwinsta.exe\n  - Image|endswith: \\cmdkey.exe\n    CommandLine|contains: /list\n  - Image|endswith: \\cmd.exe\n    CommandLine|contains|all:\n    - /c\n    - \'dir \'\n    - \\Users\\\n  filter_1:\n    CommandLine|contains:\n    - \' rmdir \'\n  selection_2:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: user\n  filter_2:\n    CommandLine|contains:\n    - /domain\n    - /add\n    - /delete\n    - /active\n    - /expires\n    - /passwordreq\n    - /scriptpath\n    - /times\n    - /workstations\n  condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- Legitimate administrator or user enumerates local users for legitimate reason\nlevel: low\ntags:\n- attack.discovery\n- attack.t1033\n- attack.t1087\n\n
\n}}'),(8257,'Issue',457,15,'T1033'),(8258,'Issue',457,15,'T1087'),(8259,'Issue',458,1,'LSASS Memory Dumping'),(8260,'Issue',458,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(8261,'Issue',458,8,'https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml'),(8262,'Issue',458,10,'high'),(8263,'Issue',458,13,'community'),(8264,'Issue',458,14,'windows'),(8266,'Issue',458,11,'80532cee2'),(8267,'Issue',458,12,'ffa6861c-4461-4f59-8a41-578c39f3f23e'),(8268,'Issue',458,16,'win-proc'),(8269,'Issue',458,17,''),(8270,'Issue',458,7,''),(8271,'Issue',458,3,'Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.'),(8272,'Issue',458,4,''),(8273,'Issue',458,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8274,'Issue',458,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.command_line.keyword:*lsass* AND process.command_line.keyword:*.dmp*) AND (NOT (process.executable.keyword:*\\\\werfault.exe))) OR (process.executable.keyword:*\\\\procdump* AND process.executable.keyword:*.exe AND process.command_line.keyword:*lsass*)))\nindex: so-*\nname: LSASS Memory Dumping\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8275,'Issue',458,9,'{{collapse(View Sigma)\n
\n\ntitle: LSASS Memory Dumping\nid: ffa6861c-4461-4f59-8a41-578c39f3f23e\ndescription: Detect creation of dump files containing the memory space of lsass.exe,\n  which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe\n  to export the memory space of lsass.exe which contains sensitive credentials.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\n- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine|contains|all:\n    - lsass\n    - .dmp\n  selection2:\n    Image|endswith: \\werfault.exe\n  selection3:\n    Image|contains: \\procdump\n    Image|endswith: .exe\n    CommandLine|contains: lsass\n  condition: selection1 and not selection2 or selection3\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(8276,'Issue',458,15,'T1003'),(8277,'Issue',459,1,'Dridex Process Pattern'),(8278,'Issue',459,2,'Florian Roth'),(8279,'Issue',459,8,'https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3'),(8280,'Issue',459,10,'critical'),(8281,'Issue',459,13,'community'),(8282,'Issue',459,14,'windows'),(8284,'Issue',459,11,'89a943e8b'),(8285,'Issue',459,12,'e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e'),(8286,'Issue',459,16,'win-proc'),(8287,'Issue',459,17,''),(8288,'Issue',459,7,''),(8289,'Issue',459,3,'Detects typical Dridex process patterns'),(8290,'Issue',459,4,''),(8291,'Issue',459,5,'_False Positives_\nUnlikely'),(8292,'Issue',459,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\svchost.exe\\ C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (process.parent.executable.keyword:*\\\\svchost.exe* AND process.command_line.keyword:(*whoami.exe\\ \\/all OR *net.exe\\ view))))\nindex: so-*\nname: Dridex Process Pattern\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8293,'Issue',459,9,'{{collapse(View Sigma)\n
\n\ntitle: Dridex Process Pattern\nid: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e\nstatus: experimental\ndescription: Detects typical Dridex process patterns\nreferences:\n- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3\nauthor: Florian Roth\ndate: 2019/01/10\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*\\svchost.exe C:\\Users\\\\*\\Desktop\\\\*\'\n  selection2:\n    ParentImage: \'*\\svchost.exe*\'\n    CommandLine:\n    - \'*whoami.exe /all\'\n    - \'*net.exe view\'\n  condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8294,'Issue',459,15,'T1055'),(8295,'Issue',460,1,'DTRACK Process Creation'),(8296,'Issue',460,2,'Florian Roth'),(8297,'Issue',460,8,'https://securelist.com/my-name-is-dtrack/93338/\nhttps://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\nhttps://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/'),(8298,'Issue',460,10,'critical'),(8299,'Issue',460,13,'community'),(8300,'Issue',460,14,'windows'),(8301,'Issue',460,15,''),(8302,'Issue',460,11,'1265efdfc'),(8303,'Issue',460,12,'f1531fa4-5b84-4342-8f68-9cf3fdbd83d4'),(8304,'Issue',460,16,'win-proc'),(8305,'Issue',460,17,''),(8306,'Issue',460,7,''),(8307,'Issue',460,3,'Detects specific process parameters as seen in DTRACK infections'),(8308,'Issue',460,4,''),(8309,'Issue',460,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8310,'Issue',460,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ echo\\ EEEE\\ \\ *)\nindex: so-*\nname: DTRACK Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8311,'Issue',460,9,'{{collapse(View Sigma)\n
\n\ntitle: DTRACK Process Creation\nid: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4\nstatus: experimental\ndescription: Detects specific process parameters as seen in DTRACK infections\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://securelist.com/my-name-is-dtrack/93338/\n- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\n- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* echo EEEE > *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8312,'Issue',461,1,'Emotet Process Creation'),(8313,'Issue',461,2,'Florian Roth'),(8314,'Issue',461,8,'https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\nhttps://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\nhttps://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\nhttps://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/'),(8315,'Issue',461,10,'critical'),(8316,'Issue',461,13,'community'),(8317,'Issue',461,14,'windows'),(8318,'Issue',461,15,''),(8319,'Issue',461,11,'22693b62c'),(8320,'Issue',461,12,'d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18'),(8321,'Issue',461,16,'win-proc'),(8322,'Issue',461,17,''),(8323,'Issue',461,7,''),(8324,'Issue',461,3,'Detects all Emotet like process executions that are not covered by the more generic rules'),(8325,'Issue',461,4,''),(8326,'Issue',461,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8327,'Issue',461,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e*\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*))\nindex: so-*\nname: Emotet Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8328,'Issue',461,9,'{{collapse(View Sigma)\n
\n\ntitle: Emotet Process Creation\nid: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18\nstatus: experimental\ndescription: Detects all Emotet like process executions that are not covered by the\n  more generic rules\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/16\nreferences:\n- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\n- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\n- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\n- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -e* PAA*\'\n    - \'*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*\'\n    - \'*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*\'\n    - \'*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*\'\n    - \'*IgAoACcAKgAnACkAOwAkA*\'\n    - \'*IAKAAnACoAJwApADsAJA*\'\n    - \'*iACgAJwAqACcAKQA7ACQA*\'\n    - \'*JABGAGwAeAByAGgAYwBmAGQ*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8329,'Issue',462,1,'Formbook Process Creation'),(8330,'Issue',462,2,'Florian Roth'),(8331,'Issue',462,8,'https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\nhttps://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\nhttps://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\nhttps://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/'),(8332,'Issue',462,10,'critical'),(8333,'Issue',462,13,'community'),(8334,'Issue',462,14,'windows'),(8335,'Issue',462,15,''),(8336,'Issue',462,11,'a76fc01e3'),(8337,'Issue',462,12,'032f5fb3-d959-41a5-9263-4173c802dc2b'),(8338,'Issue',462,16,'win-proc'),(8339,'Issue',462,17,''),(8340,'Issue',462,7,''),(8341,'Issue',462,3,'Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.'),(8342,'Issue',462,4,''),(8343,'Issue',462,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8344,'Issue',462,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND process.command_line.keyword:(*\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ \\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))\nindex: so-*\nname: Formbook Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8345,'Issue',462,9,'{{collapse(View Sigma)\n
\n\ntitle: Formbook Process Creation\nid: 032f5fb3-d959-41a5-9263-4173c802dc2b\nstatus: experimental\ndescription: Detects Formbook like process executions that inject code into a set\n  of files in the System32 folder, which executes a special command command line to\n  delete the dropper from the AppData Temp folder. We avoid false positives by excluding\n  all parent process with command line parameters.\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/31\nreferences:\n- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\n- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\n- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\n- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentCommandLine:\n    - C:\\Windows\\System32\\\\*.exe\n    - C:\\Windows\\SysWOW64\\\\*.exe\n    CommandLine:\n    - \'* /c del \"C:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.exe\'\n    - \'* /c del \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n    - \'* /C type nul > \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8346,'Issue',463,1,'NotPetya Ransomware Activity'),(8347,'Issue',463,2,'Florian Roth, Tom Ueltschi'),(8348,'Issue',463,8,'https://securelist.com/schroedingers-petya/78870/\nhttps://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100'),(8349,'Issue',463,10,'critical'),(8350,'Issue',463,13,'community'),(8351,'Issue',463,14,'windows'),(8353,'Issue',463,11,'f1d5345d2'),(8354,'Issue',463,12,'79aeeb41-8156-4fac-a0cd-076495ab82a1'),(8355,'Issue',463,16,'win-proc'),(8356,'Issue',463,17,''),(8357,'Issue',463,7,''),(8358,'Issue',463,3,'Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil'),(8359,'Issue',463,4,''),(8360,'Issue',463,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8361,'Issue',463,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*.dat,#1) OR *\\\\perfc.dat*))\nindex: so-*\nname: NotPetya Ransomware Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8362,'Issue',463,9,'{{collapse(View Sigma)\n
\n\ntitle: NotPetya Ransomware Activity\nid: 79aeeb41-8156-4fac-a0cd-076495ab82a1\nstatus: experimental\ndescription: Detects NotPetya ransomware activity in which the extracted passwords\n  are passed back to the main module via named pipe, the file system journal of drive\n  C is deleted and windows eventlogs are cleared using wevtutil\nauthor: Florian Roth, Tom Ueltschi\ndate: 2019/01/16\nreferences:\n- https://securelist.com/schroedingers-petya/78870/\n- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100\ntags:\n- attack.execution\n- attack.credential_access\n- attack.defense_evasion\n- attack.t1085\n- attack.t1070\n- attack.t1003\n- car.2016-04-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  pipe_com:\n    CommandLine: \'*\\AppData\\Local\\Temp\\\\* \\\\.\\pipe\\\\*\'\n  rundll32_dash1:\n    Image: \'*\\rundll32.exe\'\n    CommandLine: \'*.dat,#1\'\n  perfc_keyword:\n  - \'*\\perfc.dat*\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Admin activity\nlevel: critical\n\n
\n}}'),(8363,'Issue',463,15,'T1085'),(8364,'Issue',463,15,'T1070'),(8365,'Issue',463,15,'T1003'),(8366,'Issue',464,1,'QBot Process Creation'),(8367,'Issue',464,2,'Florian Roth'),(8368,'Issue',464,8,'https://twitter.com/killamjr/status/1179034907932315648\nhttps://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/'),(8369,'Issue',464,10,'critical'),(8370,'Issue',464,13,'community'),(8371,'Issue',464,14,'windows'),(8372,'Issue',464,15,''),(8373,'Issue',464,11,'046681e0b'),(8374,'Issue',464,12,'4fcac6eb-0287-4090-8eea-2602e4c20040'),(8375,'Issue',464,16,'win-proc'),(8376,'Issue',464,17,''),(8377,'Issue',464,7,''),(8378,'Issue',464,3,'Detects QBot like process executions'),(8379,'Issue',464,4,''),(8380,'Issue',464,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8381,'Issue',464,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:*\\\\WinRAR.exe AND process.executable.keyword:*\\\\wscript.exe) OR process.command_line.keyword:*\\ \\/c\\ ping.exe\\ \\-n\\ 6\\ 127.0.0.1\\ &\\ type\\ *))\nindex: so-*\nname: QBot Process Creation\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8382,'Issue',464,9,'{{collapse(View Sigma)\n
\n\ntitle: QBot Process Creation\nid: 4fcac6eb-0287-4090-8eea-2602e4c20040\nstatus: experimental\ndescription: Detects QBot like process executions\nauthor: Florian Roth\ndate: 2019/10/01\nreferences:\n- https://twitter.com/killamjr/status/1179034907932315648\n- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    ParentImage: \'*\\WinRAR.exe\'\n    Image: \'*\\wscript.exe\'\n  selection2:\n    CommandLine: \'* /c ping.exe -n 6 127.0.0.1 & type *\'\n  condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8383,'Issue',465,1,'Ryuk Ransomware'),(8384,'Issue',465,2,'Florian Roth'),(8385,'Issue',465,8,'https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/'),(8386,'Issue',465,10,'critical'),(8387,'Issue',465,13,'community'),(8388,'Issue',465,14,'windows'),(8389,'Issue',465,15,''),(8390,'Issue',465,11,'78f7434fc'),(8391,'Issue',465,12,'c37510b8-2107-4b78-aa32-72f251e7a844'),(8392,'Issue',465,16,'win-proc'),(8393,'Issue',465,17,''),(8394,'Issue',465,7,''),(8395,'Issue',465,3,'Detects Ryuk ransomware activity'),(8396,'Issue',465,4,''),(8397,'Issue',465,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8398,'Issue',465,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND process.command_line.keyword:*C\\:\\\\users\\\\Public\\*)\nindex: so-*\nname: Ryuk Ransomware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8399,'Issue',465,9,'{{collapse(View Sigma)\n
\n\ntitle: Ryuk Ransomware\nid: c37510b8-2107-4b78-aa32-72f251e7a844\nstatus: experimental\ndescription: Detects Ryuk ransomware activity\nauthor: Florian Roth\ndate: 2019/12/16\nreferences:\n- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - Microsoft\\Windows\\CurrentVersion\\Run\n    - C:\\users\\Public\\\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8400,'Issue',466,1,'WScript or CScript Dropper'),(8401,'Issue',466,2,'Margaritis Dimitrios (idea), Florian Roth (rule)'),(8402,'Issue',466,8,'none'),(8403,'Issue',466,10,'high'),(8404,'Issue',466,13,'community'),(8405,'Issue',466,14,'windows'),(8407,'Issue',466,11,'163533995'),(8408,'Issue',466,12,'cea72823-df4d-4567-950c-0b579eaf0846'),(8409,'Issue',466,16,'win-proc'),(8410,'Issue',466,17,''),(8411,'Issue',466,7,''),(8412,'Issue',466,3,'Detects wscript/cscript executions of scripts located in user directories'),(8413,'Issue',466,4,''),(8414,'Issue',466,5,'_False Positives_\nWinzip\nOther self-extractors\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8415,'Issue',466,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*\\ C\\:\\\\Users\\\\*.jse\\ * OR *\\ C\\:\\\\Users\\\\*.vbe\\ * OR *\\ C\\:\\\\Users\\\\*.js\\ * OR *\\ C\\:\\\\Users\\\\*.vba\\ * OR *\\ C\\:\\\\Users\\\\*.vbs\\ * OR *\\ C\\:\\\\ProgramData\\\\*.jse\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbe\\ * OR *\\ C\\:\\\\ProgramData\\\\*.js\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vba\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbs\\ *)) AND (NOT (process.parent.executable.keyword:*\\\\winzip*)))\nindex: so-*\nname: WScript or CScript Dropper\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8416,'Issue',466,9,'{{collapse(View Sigma)\n
\n\ntitle: WScript or CScript Dropper\nid: cea72823-df4d-4567-950c-0b579eaf0846\nstatus: experimental\ndescription: Detects wscript/cscript executions of scripts located in user directories\nauthor: Margaritis Dimitrios (idea), Florian Roth (rule)\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    CommandLine:\n    - \'* C:\\Users\\\\*.jse *\'\n    - \'* C:\\Users\\\\*.vbe *\'\n    - \'* C:\\Users\\\\*.js *\'\n    - \'* C:\\Users\\\\*.vba *\'\n    - \'* C:\\Users\\\\*.vbs *\'\n    - \'* C:\\ProgramData\\\\*.jse *\'\n    - \'* C:\\ProgramData\\\\*.vbe *\'\n    - \'* C:\\ProgramData\\\\*.js *\'\n    - \'* C:\\ProgramData\\\\*.vba *\'\n    - \'* C:\\ProgramData\\\\*.vbs *\'\n  falsepositive:\n    ParentImage: \'*\\winzip*\'\n  condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Winzip\n- Other self-extractors\nlevel: high\n\n
\n}}'),(8417,'Issue',466,15,'T1064'),(8418,'Issue',467,1,'Trickbot Malware Recon Activity'),(8419,'Issue',467,2,'David Burkett'),(8420,'Issue',467,8,'https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/'),(8421,'Issue',467,10,'critical'),(8422,'Issue',467,13,'community'),(8423,'Issue',467,14,'windows'),(8425,'Issue',467,11,'1482df18d'),(8426,'Issue',467,12,'410ad193-a728-4107-bc79-4419789fcbf8'),(8427,'Issue',467,16,'win-proc'),(8428,'Issue',467,17,''),(8429,'Issue',467,7,''),(8430,'Issue',467,3,'Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.'),(8431,'Issue',467,4,''),(8432,'Issue',467,5,'_False Positives_\nRare System Admin Activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8433,'Issue',467,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\nltest.exe) AND process.command_line:(\"\\/domain_trusts\\ \\/all_trusts\" OR \"\\/domain_trusts\"))\nindex: so-*\nname: Trickbot Malware Recon Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8434,'Issue',467,9,'{{collapse(View Sigma)\n
\n\ntitle: Trickbot Malware Recon Activity\nid: 410ad193-a728-4107-bc79-4419789fcbf8\nstatus: experimental\ndescription: Trickbot enumerates domain/network topology and executes certain commands\n  automatically every few minutes. This detectors attempts to identify that activity\n  based off a command rarely observed in an enterprise network.\nreferences:\n- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\nltest.exe\'\n    CommandLine:\n    - /domain_trusts /all_trusts\n    - /domain_trusts\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Rare System Admin Activity\nlevel: critical\n\n
\n}}'),(8435,'Issue',467,15,'T1482'),(8436,'Issue',468,1,'WannaCry Ransomware'),(8437,'Issue',468,2,'Florian Roth (rule), Tom U. @c_APT_ure (collection)'),(8438,'Issue',468,8,'https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(8439,'Issue',468,10,'critical'),(8440,'Issue',468,13,'community'),(8441,'Issue',468,14,'windows'),(8442,'Issue',468,15,''),(8443,'Issue',468,11,'39c3b0af5'),(8444,'Issue',468,12,'41d40bff-377a-43e2-8e1b-2e543069e079'),(8445,'Issue',468,16,'win-proc'),(8446,'Issue',468,17,''),(8447,'Issue',468,7,''),(8448,'Issue',468,3,'Detects WannaCry ransomware activity'),(8449,'Issue',468,4,''),(8450,'Issue',468,5,'_False Positives_\nDiskpart.exe usage to manage partitions on the local hard drive\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8451,'Issue',468,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\tasksche.exe OR *\\\\mssecsvc.exe OR *\\\\taskdl.exe OR *\\\\@WanaDecryptor@* OR *\\\\WanaDecryptor* OR *\\\\taskhsvc.exe OR *\\\\taskse.exe OR *\\\\111.exe OR *\\\\lhdfrgui.exe OR *\\\\diskpart.exe OR *\\\\linuxnew.exe OR *\\\\wannacry.exe) OR process.command_line.keyword:(*icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q* OR *bcdedit\\ \\/set\\ \\{default\\}\\ recoveryenabled\\ no* OR *wbadmin\\ delete\\ catalog\\ \\-quiet* OR *@Please_Read_Me@.txt*)))\nindex: so-*\nname: WannaCry Ransomware\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8452,'Issue',468,9,'{{collapse(View Sigma)\n
\n\ntitle: WannaCry Ransomware\nid: 41d40bff-377a-43e2-8e1b-2e543069e079\nstatus: experimental\ndescription: Detects WannaCry ransomware activity\nreferences:\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\nauthor: Florian Roth (rule), Tom U. @c_APT_ure (collection)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\tasksche.exe\'\n    - \'*\\mssecsvc.exe\'\n    - \'*\\taskdl.exe\'\n    - \'*\\@WanaDecryptor@*\'\n    - \'*\\WanaDecryptor*\'\n    - \'*\\taskhsvc.exe\'\n    - \'*\\taskse.exe\'\n    - \'*\\111.exe\'\n    - \'*\\lhdfrgui.exe\'\n    - \'*\\diskpart.exe\'\n    - \'*\\linuxnew.exe\'\n    - \'*\\wannacry.exe\'\n  selection2:\n    CommandLine:\n    - \'*icacls * /grant Everyone:F /T /C /Q*\'\n    - \'*bcdedit /set {default} recoveryenabled no*\'\n    - \'*wbadmin delete catalog -quiet*\'\n    - \'*@Please_Read_Me@.txt*\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Diskpart.exe usage to manage partitions on the local hard drive\nlevel: critical\n\n
\n}}'),(8453,'Issue',469,1,'MavInject Process Injection'),(8454,'Issue',469,2,'Florian Roth'),(8455,'Issue',469,8,'https://twitter.com/gN3mes1s/status/941315826107510784\nhttps://reaqta.com/2017/12/mavinject-microsoft-injector/\nhttps://twitter.com/Hexacorn/status/776122138063409152'),(8456,'Issue',469,10,'critical'),(8457,'Issue',469,13,'community'),(8458,'Issue',469,14,'windows'),(8460,'Issue',469,11,'313d39562'),(8461,'Issue',469,12,'17eb8e57-9983-420d-ad8a-2c4976c22eb8'),(8462,'Issue',469,16,'win-proc'),(8463,'Issue',469,17,''),(8464,'Issue',469,7,''),(8465,'Issue',469,3,'Detects process injection using the signed Windows tool Mavinject32.exe'),(8466,'Issue',469,4,''),(8467,'Issue',469,5,'_False Positives_\nunknown'),(8468,'Issue',469,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/INJECTRUNNING\\ *)\nindex: so-*\nname: MavInject Process Injection\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8469,'Issue',469,9,'{{collapse(View Sigma)\n
\n\ntitle: MavInject Process Injection\nid: 17eb8e57-9983-420d-ad8a-2c4976c22eb8\nstatus: experimental\ndescription: Detects process injection using the signed Windows tool Mavinject32.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/941315826107510784\n- https://reaqta.com/2017/12/mavinject-microsoft-injector/\n- https://twitter.com/Hexacorn/status/776122138063409152\nauthor: Florian Roth\ndate: 2018/12/12\ntags:\n- attack.t1055\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* /INJECTRUNNING *\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(8470,'Issue',469,15,'T1055'),(8471,'Issue',469,15,'T1218'),(8472,'Issue',470,1,'Meterpreter or Cobalt Strike Getsystem Service Start'),(8473,'Issue',470,2,'Teymur Kheirkhabarov'),(8474,'Issue',470,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/'),(8475,'Issue',470,10,'high'),(8476,'Issue',470,13,'community'),(8477,'Issue',470,14,'windows'),(8479,'Issue',470,11,'faf8435b3'),(8480,'Issue',470,12,'15619216-e993-4721-b590-4c520615a67d'),(8481,'Issue',470,16,'win-proc'),(8482,'Issue',470,17,''),(8483,'Issue',470,7,''),(8484,'Issue',470,3,'Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting'),(8485,'Issue',470,4,''),(8486,'Issue',470,5,'_False Positives_\nCommandlines containing components like cmd accidentally\nJobs and services started with cmd\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8487,'Issue',470,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\services.exe AND (process.command_line.keyword:(*cmd* OR *comspec*) OR (process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*%COMSPEC%* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*rundll32* AND process.command_line.keyword:*.dll,a* AND process.command_line.keyword:*\\/p\\:*))) AND (NOT (process.command_line.keyword:*MpCmdRun*)))\nindex: so-*\nname: Meterpreter or Cobalt Strike Getsystem Service Start\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8488,'Issue',470,9,'{{collapse(View Sigma)\n
\n\ntitle: Meterpreter or Cobalt Strike Getsystem Service Start\nid: 15619216-e993-4721-b590-4c520615a67d\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting\n  a specific service starting\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    ParentImage|endswith: \\services.exe\n  selection_2:\n  - CommandLine|contains:\n    - cmd\n    - comspec\n  - CommandLine|contains|all:\n    - cmd\n    - /c\n    - echo\n    - \\pipe\\\n  - CommandLine|contains|all:\n    - \'%COMSPEC%\'\n    - /c\n    - echo\n    - \\pipe\\\n  - CommandLine|contains|all:\n    - rundll32\n    - .dll,a\n    - \'/p:\'\n  filter1:\n    CommandLine|contains: MpCmdRun\n  condition: selection_1 and selection_2 and not filter1\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Commandlines containing components like cmd accidentally\n- Jobs and services started with cmd\nlevel: high\n\n
\n}}'),(8489,'Issue',470,15,'T1134'),(8490,'Issue',471,1,'Mimikatz Command Line'),(8491,'Issue',471,2,'Teymur Kheirkhabarov, oscd.community'),(8492,'Issue',471,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(8493,'Issue',471,10,'medium'),(8494,'Issue',471,13,'community'),(8495,'Issue',471,14,'windows'),(8497,'Issue',471,11,'f9e688b06'),(8498,'Issue',471,12,'a642964e-bead-4bed-8910-1bb4d63e3b4d'),(8499,'Issue',471,16,'win-proc'),(8500,'Issue',471,17,''),(8501,'Issue',471,7,''),(8502,'Issue',471,3,'Detection well-known mimikatz command line arguments'),(8503,'Issue',471,4,''),(8504,'Issue',471,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(8505,'Issue',471,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*DumpCreds* OR *invoke\\-mimikatz*) OR (process.command_line.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND process.command_line.keyword:(*\\:\\:*))))\nindex: so-*\nname: Mimikatz Command Line\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8506,'Issue',471,9,'{{collapse(View Sigma)\n
\n\ntitle: Mimikatz Command Line\nid: a642964e-bead-4bed-8910-1bb4d63e3b4d\ndescription: Detection well-known mimikatz command line arguments\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    CommandLine|contains:\n    - DumpCreds\n    - invoke-mimikatz\n  selection_2:\n    CommandLine|contains:\n    - rpc\n    - token\n    - crypto\n    - dpapi\n    - sekurlsa\n    - kerberos\n    - lsadump\n    - privilege\n    - process\n  selection_3:\n    CommandLine|contains:\n    - \'::\'\n  condition: selection_1 or selection_2 and selection_3\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: medium\nstatus: experimental\n\n
\n}}'),(8507,'Issue',471,15,'T1003'),(8508,'Issue',472,1,'MMC Spawning Windows Shell'),(8509,'Issue',472,2,'Karneades, Swisscom CSIRT'),(8510,'Issue',472,8,'none'),(8511,'Issue',472,10,'high'),(8512,'Issue',472,13,'community'),(8513,'Issue',472,14,'windows'),(8515,'Issue',472,11,'5af2839b3'),(8516,'Issue',472,12,'05a2ab7e-ce11-4b63-86db-ab32e763e11d'),(8517,'Issue',472,16,'win-proc'),(8518,'Issue',472,17,''),(8519,'Issue',472,7,''),(8520,'Issue',472,3,'Detects a Windows command line executable started from MMC.'),(8521,'Issue',472,4,''),(8522,'Issue',472,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nCommandLine\nImage\nParentCommandLine'),(8523,'Issue',472,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mmc.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MMC Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8524,'Issue',472,9,'{{collapse(View Sigma)\n
\n\ntitle: MMC Spawning Windows Shell\nid: 05a2ab7e-ce11-4b63-86db-ab32e763e11d\nstatus: experimental\ndescription: Detects a Windows command line executable started from MMC.\nauthor: Karneades, Swisscom CSIRT\ndate: 2019/08/05\ntags:\n- attack.lateral_movement\n- attack.t1175\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\mmc.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\reg.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\BITSADMIN*\'\n  condition: selection\nfields:\n- CommandLine\n- Image\n- ParentCommandLine\nlevel: high\n\n
\n}}'),(8525,'Issue',472,15,'T1175'),(8526,'Issue',473,1,'MSHTA Spawning Windows Shell'),(8527,'Issue',473,2,'Michael Haag'),(8528,'Issue',473,8,'https://www.trustedsec.com/july-2015/malicious-htas/'),(8529,'Issue',473,10,'high'),(8530,'Issue',473,13,'community'),(8531,'Issue',473,14,'windows'),(8533,'Issue',473,11,'16c1a6c19'),(8534,'Issue',473,12,'03cc0c25-389f-4bf8-b48d-11878079f1ca'),(8535,'Issue',473,16,'win-proc'),(8536,'Issue',473,17,''),(8537,'Issue',473,7,''),(8538,'Issue',473,3,'Detects a Windows command line executable started from MSHTA.'),(8539,'Issue',473,4,''),(8540,'Issue',473,5,'_False Positives_\nPrinter software / driver installations\nHP software\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8541,'Issue',473,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mshta.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MSHTA Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8542,'Issue',473,9,'{{collapse(View Sigma)\n
\n\ntitle: MSHTA Spawning Windows Shell\nid: 03cc0c25-389f-4bf8-b48d-11878079f1ca\nstatus: experimental\ndescription: Detects a Windows command line executable started from MSHTA.\nreferences:\n- https://www.trustedsec.com/july-2015/malicious-htas/\nauthor: Michael Haag\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\mshta.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\reg.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\BITSADMIN*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\n- car.2013-02-003\n- car.2013-03-001\n- car.2014-04-003\nfalsepositives:\n- Printer software / driver installations\n- HP software\nlevel: high\n\n
\n}}'),(8543,'Issue',473,15,'T1170'),(8544,'Issue',474,1,'Quick Execution of a Series of Suspicious Commands'),(8545,'Issue',474,2,'juju4'),(8546,'Issue',474,8,'https://car.mitre.org/wiki/CAR-2013-04-002'),(8547,'Issue',474,10,'low'),(8548,'Issue',474,13,'community'),(8549,'Issue',474,14,'windows'),(8550,'Issue',474,15,''),(8551,'Issue',474,11,'9a5d32ef1'),(8552,'Issue',474,12,'61ab5496-748e-4818-a92f-de78e20fe7f1'),(8553,'Issue',474,16,'win-proc'),(8554,'Issue',474,17,''),(8555,'Issue',474,7,''),(8556,'Issue',474,3,'Detects multiple suspicious process in a limited timeframe'),(8557,'Issue',474,4,''),(8558,'Issue',474,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(8559,'Issue',474,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"arp.exe\" OR \"at.exe\" OR \"attrib.exe\" OR \"cscript.exe\" OR \"dsquery.exe\" OR \"hostname.exe\" OR \"ipconfig.exe\" OR \"mimikatz.exe\" OR \"nbtstat.exe\" OR \"net.exe\" OR \"netsh.exe\" OR \"nslookup.exe\" OR \"ping.exe\" OR \"quser.exe\" OR \"qwinsta.exe\" OR \"reg.exe\" OR \"runas.exe\" OR \"sc.exe\" OR \"schtasks.exe\" OR \"ssh.exe\" OR \"systeminfo.exe\" OR \"taskkill.exe\" OR \"telnet.exe\" OR \"tracert.exe\" OR \"wscript.exe\" OR \"xcopy.exe\" OR \"pscp.exe\" OR \"copy.exe\" OR \"robocopy.exe\" OR \"certutil.exe\" OR \"vssadmin.exe\" OR \"powershell.exe\" OR \"wevtutil.exe\" OR \"psexec.exe\" OR \"bcedit.exe\" OR \"wbadmin.exe\" OR \"icacls.exe\" OR \"diskpart.exe\"))\nindex: so-*\nmax_threshold: 5\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Quick Execution of a Series of Suspicious Commands\npriority: 4\nquery_key: MachineName.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(8560,'Issue',474,9,'{{collapse(View Sigma)\n
\n\ntitle: Quick Execution of a Series of Suspicious Commands\nid: 61ab5496-748e-4818-a92f-de78e20fe7f1\ndescription: Detects multiple suspicious process in a limited timeframe\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-04-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- car.2013-04-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - arp.exe\n    - at.exe\n    - attrib.exe\n    - cscript.exe\n    - dsquery.exe\n    - hostname.exe\n    - ipconfig.exe\n    - mimikatz.exe\n    - nbtstat.exe\n    - net.exe\n    - netsh.exe\n    - nslookup.exe\n    - ping.exe\n    - quser.exe\n    - qwinsta.exe\n    - reg.exe\n    - runas.exe\n    - sc.exe\n    - schtasks.exe\n    - ssh.exe\n    - systeminfo.exe\n    - taskkill.exe\n    - telnet.exe\n    - tracert.exe\n    - wscript.exe\n    - xcopy.exe\n    - pscp.exe\n    - copy.exe\n    - robocopy.exe\n    - certutil.exe\n    - vssadmin.exe\n    - powershell.exe\n    - wevtutil.exe\n    - psexec.exe\n    - bcedit.exe\n    - wbadmin.exe\n    - icacls.exe\n    - diskpart.exe\n  timeframe: 5m\n  condition: selection | count() by MachineName > 5\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: low\n\n
\n}}'),(8561,'Issue',475,1,'Windows Network Enumeration'),(8562,'Issue',475,2,'Endgame, JHasenbusch (ported for oscd.community)'),(8563,'Issue',475,8,'https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml'),(8564,'Issue',475,10,'low'),(8565,'Issue',475,13,'community'),(8566,'Issue',475,14,'windows'),(8568,'Issue',475,11,'bbe12b620'),(8569,'Issue',475,12,'62510e69-616b-4078-b371-847da438cc03'),(8570,'Issue',475,16,'win-proc'),(8571,'Issue',475,17,''),(8572,'Issue',475,7,''),(8573,'Issue',475,3,'Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.'),(8574,'Issue',475,4,''),(8575,'Issue',475,5,'_False Positives_\nLegitimate use of net.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8576,'Issue',475,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*view*) AND (NOT (process.command_line.keyword:*\\\\*)))\nindex: so-*\nname: Windows Network Enumeration\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8577,'Issue',475,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Network Enumeration\nid: 62510e69-616b-4078-b371-847da438cc03\nstatus: stable\ndescription: Identifies attempts to enumerate hosts in a network using the built-in\n  Windows net.exe tool.\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml\nauthor: Endgame, JHasenbusch (ported for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.t1018\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: view\n  filter:\n    CommandLine|contains: \\\\\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of net.exe utility by legitimate user\nlevel: low\n\n
\n}}'),(8578,'Issue',475,15,'T1018'),(8579,'Issue',476,1,'Net.exe User Account Creation'),(8580,'Issue',476,2,'Endgame, JHasenbusch (adapted to sigma for oscd.community)'),(8581,'Issue',476,8,'https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml'),(8582,'Issue',476,10,'medium'),(8583,'Issue',476,13,'community'),(8584,'Issue',476,14,'windows'),(8586,'Issue',476,11,'c9bfceef1'),(8587,'Issue',476,12,'cd219ff3-fa99-45d4-8380-a7d15116c6dc'),(8588,'Issue',476,16,'win-proc'),(8589,'Issue',476,17,''),(8590,'Issue',476,7,''),(8591,'Issue',476,3,'Identifies creation of local users via the net.exe command'),(8592,'Issue',476,4,''),(8593,'Issue',476,5,'_False Positives_\nLegit user creation\nBetter use event ids for user creation rather than command line rules\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8594,'Issue',476,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user* AND process.command_line.keyword:*add*)\nindex: so-*\nname: Net.exe User Account Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8595,'Issue',476,9,'{{collapse(View Sigma)\n
\n\ntitle: Net.exe User Account Creation\nid: cd219ff3-fa99-45d4-8380-a7d15116c6dc\nstatus: experimental\ndescription: Identifies creation of local users via the net.exe command\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml\nauthor: Endgame, JHasenbusch (adapted to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.persistence\n- attack.credential_access\n- attack.t1136\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains|all:\n    - user\n    - add\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legit user creation\n- Better use event ids for user creation rather than command line rules\nlevel: medium\n\n
\n}}'),(8596,'Issue',476,15,'T1136'),(8597,'Issue',477,1,'Netsh'),(8598,'Issue',477,2,'Markus Neis'),(8599,'Issue',477,8,'https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\nhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf'),(8600,'Issue',477,10,'medium'),(8601,'Issue',477,13,'community'),(8602,'Issue',477,14,'windows'),(8604,'Issue',477,11,'bdbaabb5e'),(8605,'Issue',477,12,'cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c'),(8606,'Issue',477,16,'win-proc'),(8607,'Issue',477,17,''),(8608,'Issue',477,7,''),(8609,'Issue',477,3,'Allow Incoming Connections by Port or Application on Windows Firewall'),(8610,'Issue',477,4,''),(8611,'Issue',477,5,'_False Positives_\nLegitimate administration'),(8612,'Issue',477,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*netsh\\ firewall\\ add*))\nindex: so-*\nname: Netsh\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8613,'Issue',477,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh\nid: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c\ndescription: Allow Incoming Connections by Port or Application on Windows Firewall\nreferences:\n- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\n- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Markus Neis\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*netsh firewall add*\'\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8614,'Issue',477,15,'T1090'),(8615,'Issue',478,1,'Capture a Network Trace with netsh.exe'),(8616,'Issue',478,2,'Kutepov Anton, oscd.community'),(8617,'Issue',478,8,'https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/'),(8618,'Issue',478,10,'medium'),(8619,'Issue',478,13,'community'),(8620,'Issue',478,14,'windows'),(8622,'Issue',478,11,'0b2f94184'),(8623,'Issue',478,12,'d3c3861d-c504-4c77-ba55-224ba82d0118'),(8624,'Issue',478,16,'win-proc'),(8625,'Issue',478,17,''),(8626,'Issue',478,7,''),(8627,'Issue',478,3,'Detects capture a network trace via netsh.exe trace functionality'),(8628,'Issue',478,4,''),(8629,'Issue',478,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe trace functionality for legitimate reason'),(8630,'Issue',478,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*netsh* AND process.command_line.keyword:*trace* AND process.command_line.keyword:*start*)\nindex: so-*\nname: Capture a Network Trace with netsh.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8631,'Issue',478,9,'{{collapse(View Sigma)\n
\n\ntitle: Capture a Network Trace with netsh.exe\nid: d3c3861d-c504-4c77-ba55-224ba82d0118\nstatus: experimental\ndescription: Detects capture a network trace via netsh.exe trace functionality\nreferences:\n- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/24\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - netsh\n    - trace\n    - start\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe trace functionality for legitimate\n  reason\nlevel: medium\n\n
\n}}'),(8632,'Issue',478,15,'T1040'),(8633,'Issue',479,1,'Netsh Port Forwarding'),(8634,'Issue',479,2,'Florian Roth'),(8635,'Issue',479,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8636,'Issue',479,10,'medium'),(8637,'Issue',479,13,'community'),(8638,'Issue',479,14,'windows'),(8640,'Issue',479,11,'6c81001f0'),(8641,'Issue',479,12,'322ed9ec-fcab-4f67-9a34-e7c6aef43614'),(8642,'Issue',479,16,'win-proc'),(8643,'Issue',479,17,''),(8644,'Issue',479,7,''),(8645,'Issue',479,3,'Detects netsh commands that configure a port forwarding'),(8646,'Issue',479,4,''),(8647,'Issue',479,5,'_False Positives_\nLegitimate administration'),(8648,'Issue',479,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ interface\\ portproxy\\ add\\ v4tov4\\ *))\nindex: so-*\nname: Netsh Port Forwarding\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8649,'Issue',479,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh Port Forwarding\nid: 322ed9ec-fcab-4f67-9a34-e7c6aef43614\ndescription: Detects netsh commands that configure a port forwarding\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh interface portproxy add v4tov4 *\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8650,'Issue',479,15,'T1090'),(8651,'Issue',480,1,'Netsh RDP Port Forwarding'),(8652,'Issue',480,2,'Florian Roth'),(8653,'Issue',480,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8654,'Issue',480,10,'high'),(8655,'Issue',480,13,'community'),(8656,'Issue',480,14,'windows'),(8658,'Issue',480,11,'e26d39913'),(8659,'Issue',480,12,'782d6f3e-4c5d-4b8c-92a3-1d05fed72e63'),(8660,'Issue',480,16,'win-proc'),(8661,'Issue',480,17,''),(8662,'Issue',480,7,''),(8663,'Issue',480,3,'Detects netsh commands that configure a port forwarding of port 3389 used for RDP'),(8664,'Issue',480,4,''),(8665,'Issue',480,5,'_False Positives_\nLegitimate administration'),(8666,'Issue',480,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ i*\\ p*\\=3389\\ c*))\nindex: so-*\nname: Netsh RDP Port Forwarding\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8667,'Issue',480,9,'{{collapse(View Sigma)\n
\n\ntitle: Netsh RDP Port Forwarding\nid: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63\ndescription: Detects netsh commands that configure a port forwarding of port 3389\n  used for RDP\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.t1021\n- car.2013-07-002\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh i* p*=3389 c*\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: high\n\n
\n}}'),(8668,'Issue',480,15,'T1021'),(8669,'Issue',481,1,'Network Sniffing'),(8670,'Issue',481,2,'Timur Zinniatullin, oscd.community'),(8671,'Issue',481,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml'),(8672,'Issue',481,10,'low'),(8673,'Issue',481,13,'community'),(8674,'Issue',481,14,'windows'),(8676,'Issue',481,11,'94c26afa0'),(8677,'Issue',481,12,'ba1f7802-adc7-48b4-9ecb-81e227fddfd5'),(8678,'Issue',481,16,'win-proc'),(8679,'Issue',481,17,''),(8680,'Issue',481,7,''),(8681,'Issue',481,3,'Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.'),(8682,'Issue',481,4,''),(8683,'Issue',481,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8684,'Issue',481,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\tshark.exe AND process.command_line.keyword:*\\-i*) OR process.executable.keyword:*\\\\windump.exe))\nindex: so-*\nname: Network Sniffing\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8685,'Issue',481,9,'{{collapse(View Sigma)\n
\n\ntitle: Network Sniffing\nid: ba1f7802-adc7-48b4-9ecb-81e227fddfd5\nstatus: experimental\ndescription: Network sniffing refers to using the network interface on a system to\n  monitor or capture information sent over a wired or wireless connection. An adversary\n  may place a network interface into promiscuous mode to passively access data in\n  transit over the network, or use span ports to capture a larger amount of data.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\tshark.exe\n    CommandLine|contains: -i\n  - Image|endswith: \\windump.exe\n  condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.credential_access\n- attack.discovery\n- attack.t1040\n\n
\n}}'),(8686,'Issue',481,15,'T1040'),(8687,'Issue',482,1,'New Service Creation'),(8688,'Issue',482,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8689,'Issue',482,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml'),(8690,'Issue',482,10,'low'),(8691,'Issue',482,13,'community'),(8692,'Issue',482,14,'windows'),(8694,'Issue',482,11,'6d821e19d'),(8695,'Issue',482,12,'7fe71fc9-de3b-432a-8d57-8c809efc10ab'),(8696,'Issue',482,16,'win-proc'),(8697,'Issue',482,17,''),(8698,'Issue',482,7,''),(8699,'Issue',482,3,'Detects creation if a new service'),(8700,'Issue',482,4,''),(8701,'Issue',482,5,'_False Positives_\nLegitimate administrator or user creates a service for legitimate reason'),(8702,'Issue',482,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*create* AND process.command_line.keyword:*binpath*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*new\\-service*)))\nindex: so-*\nname: New Service Creation\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8703,'Issue',482,9,'{{collapse(View Sigma)\n
\n\ntitle: New Service Creation\nid: 7fe71fc9-de3b-432a-8d57-8c809efc10ab\nstatus: experimental\ndescription: Detects creation if a new service\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1050\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\sc.exe\n    CommandLine|contains|all:\n    - create\n    - binpath\n  - Image|endswith: \\powershell.exe\n    CommandLine|contains: new-service\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user creates a service for legitimate reason\nlevel: low\n\n
\n}}'),(8704,'Issue',482,15,'T1050'),(8705,'Issue',483,1,'Non Interactive PowerShell'),(8706,'Issue',483,2,'Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)'),(8707,'Issue',483,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md'),(8708,'Issue',483,10,'medium'),(8709,'Issue',483,13,'community'),(8710,'Issue',483,14,'windows'),(8712,'Issue',483,11,'1e5e14278'),(8713,'Issue',483,12,'f4bbd493-b796-416e-bbf2-121235348529'),(8714,'Issue',483,16,'win-proc'),(8715,'Issue',483,17,''),(8716,'Issue',483,7,''),(8717,'Issue',483,3,'Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.'),(8718,'Issue',483,4,''),(8719,'Issue',483,5,'_False Positives_\nLegitimate programs executing PowerShell scripts'),(8720,'Issue',483,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND (NOT (process.parent.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Non Interactive PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8721,'Issue',483,9,'{{collapse(View Sigma)\n
\n\ntitle: Non Interactive PowerShell\nid: f4bbd493-b796-416e-bbf2-121235348529\ndescription: Detects non-interactive PowerShell activity by looking at powershell.exe\n  with not explorer.exe as a parent.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\powershell.exe\n  filter:\n    ParentImage|endswith: \\explorer.exe\n  condition: selection and not filter\nfalsepositives:\n- Legitimate programs executing PowerShell scripts\nlevel: medium\n\n
\n}}'),(8722,'Issue',483,15,'T1086'),(8723,'Issue',484,1,'Microsoft Office Product Spawning Windows Shell'),(8724,'Issue',484,2,'Michael Haag, Florian Roth, Markus Neis'),(8725,'Issue',484,8,'https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\nhttps://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(8726,'Issue',484,10,'high'),(8727,'Issue',484,13,'community'),(8728,'Issue',484,14,'windows'),(8730,'Issue',484,11,'6393d359f'),(8731,'Issue',484,12,'438025f9-5856-4663-83f7-52f878a70a50'),(8732,'Issue',484,16,'win-proc'),(8733,'Issue',484,17,''),(8734,'Issue',484,7,''),(8735,'Issue',484,3,'Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.'),(8736,'Issue',484,4,''),(8737,'Issue',484,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8738,'Issue',484,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\scrcons.exe OR *\\\\schtasks.exe OR *\\\\regsvr32.exe OR *\\\\hh.exe OR *\\\\wmic.exe OR *\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\msiexec.exe OR *\\\\forfiles.exe OR *\\\\scriptrunner.exe OR *\\\\mftrace.exe OR *\\\\AppVLP.exe OR *\\\\svchost.exe))\nindex: so-*\nname: Microsoft Office Product Spawning Windows Shell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8739,'Issue',484,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Office Product Spawning Windows Shell\nid: 438025f9-5856-4663-83f7-52f878a70a50\nstatus: experimental\ndescription: Detects a Windows command line executable started from Microsoft Word,\n  Excel, Powerpoint, Publisher and Visio.\nreferences:\n- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- car.2013-02-003\n- car.2014-04-003\nauthor: Michael Haag, Florian Roth, Markus Neis\ndate: 2018/04/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\WINWORD.EXE\'\n    - \'*\\EXCEL.EXE\'\n    - \'*\\POWERPNT.exe\'\n    - \'*\\MSPUB.exe\'\n    - \'*\\VISIO.exe\'\n    - \'*\\OUTLOOK.EXE\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\scrcons.exe\'\n    - \'*\\schtasks.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\hh.exe\'\n    - \'*\\wmic.exe\'\n    - \'*\\mshta.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\msiexec.exe\'\n    - \'*\\forfiles.exe\'\n    - \'*\\scriptrunner.exe\'\n    - \'*\\mftrace.exe\'\n    - \'*\\AppVLP.exe\'\n    - \'*\\svchost.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8740,'Issue',484,15,'T1059'),(8741,'Issue',484,15,'T1202'),(8742,'Issue',485,1,'MS Office Product Spawning Exe in User Dir'),(8743,'Issue',485,2,'Jason Lynch'),(8744,'Issue',485,8,'sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign'),(8745,'Issue',485,10,'high'),(8746,'Issue',485,13,'community'),(8747,'Issue',485,14,'windows'),(8749,'Issue',485,11,'73473d045'),(8750,'Issue',485,12,'aa3a6f94-890e-4e22-b634-ffdfd54792cc'),(8751,'Issue',485,16,'win-proc'),(8752,'Issue',485,17,''),(8753,'Issue',485,7,''),(8754,'Issue',485,3,'Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio'),(8755,'Issue',485,4,''),(8756,'Issue',485,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8757,'Issue',485,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(C\\:\\\\users\\\\*.exe))\nindex: so-*\nname: MS Office Product Spawning Exe in User Dir\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8758,'Issue',485,9,'{{collapse(View Sigma)\n
\n\ntitle: MS Office Product Spawning Exe in User Dir\nid: aa3a6f94-890e-4e22-b634-ffdfd54792cc\nstatus: experimental\ndescription: Detects an executable in the users directory started from Microsoft Word,\n  Excel, Powerpoint, Publisher or Visio\nreferences:\n- sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\n- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- FIN7\n- car.2013-05-002\nauthor: Jason Lynch\ndate: 2019/04/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\WINWORD.EXE\'\n    - \'*\\EXCEL.EXE\'\n    - \'*\\POWERPNT.exe\'\n    - \'*\\MSPUB.exe\'\n    - \'*\\VISIO.exe\'\n    - \'*\\OUTLOOK.EXE\'\n    Image:\n    - C:\\users\\\\*.exe\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8759,'Issue',485,15,'T1059'),(8760,'Issue',485,15,'T1202'),(8761,'Issue',486,1,'Executable Used by PlugX in Uncommon Location'),(8762,'Issue',486,2,'Florian Roth'),(8763,'Issue',486,8,'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\nhttps://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'),(8764,'Issue',486,10,'high'),(8765,'Issue',486,13,'community'),(8766,'Issue',486,14,'windows'),(8768,'Issue',486,11,'7c4ef5068'),(8769,'Issue',486,12,'aeab5ec5-be14-471a-80e8-e344418305c2'),(8770,'Issue',486,16,'win-proc'),(8771,'Issue',486,17,''),(8772,'Issue',486,7,''),(8773,'Issue',486,3,'Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location'),(8774,'Issue',486,4,''),(8775,'Issue',486,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8776,'Issue',486,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((((((((((((process.executable.keyword:*\\\\CamMute.exe AND (NOT (process.executable.keyword:*\\\\Lenovo\\\\Communication\\ Utility\\\\*))) OR (process.executable.keyword:*\\\\chrome_frame_helper.exe AND (NOT (process.executable.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (process.executable.keyword:*\\\\dvcemumanager.exe AND (NOT (process.executable.keyword:*\\\\Microsoft\\ Device\\ Emulator\\\\*)))) OR (process.executable.keyword:*\\\\Gadget.exe AND (NOT (process.executable.keyword:*\\\\Windows\\ Media\\ Player\\\\*)))) OR (process.executable.keyword:*\\\\hcc.exe AND (NOT (process.executable.keyword:*\\\\HTML\\ Help\\ Workshop\\\\*)))) OR (process.executable.keyword:*\\\\hkcmd.exe AND (NOT (process.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysNative\\\\* OR *\\\\SysWowo64\\\\*))))) OR (process.executable.keyword:*\\\\Mc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit*))))) OR (process.executable.keyword:*\\\\MsMpEng.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Windows\\ Defender\\\\* OR *\\\\AntiMalware\\\\*))))) OR (process.executable.keyword:*\\\\msseces.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Center\\\\* OR *\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Microsoft\\ Security\\ Essentials\\\\*))))) OR (process.executable.keyword:*\\\\OInfoP11.exe AND (NOT (process.executable.keyword:*\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\*)))) OR (process.executable.keyword:*\\\\OleView.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\*))))) OR (process.executable.keyword:*\\\\rc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\* OR *\\\\Microsoft.NET\\\\*))))))\nindex: so-*\nname: Executable Used by PlugX in Uncommon Location\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8777,'Issue',486,9,'{{collapse(View Sigma)\n
\n\ntitle: Executable Used by PlugX in Uncommon Location\nid: aeab5ec5-be14-471a-80e8-e344418305c2\nstatus: experimental\ndescription: Detects the execution of an executable that is typically used by PlugX\n  for DLL side loading started from an uncommon location\nreferences:\n- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/\nauthor: Florian Roth\ndate: 2017/06/12\ntags:\n- attack.s0013\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_cammute:\n    Image: \'*\\CamMute.exe\'\n  filter_cammute:\n    Image: \'*\\Lenovo\\Communication Utility\\\\*\'\n  selection_chrome_frame:\n    Image: \'*\\chrome_frame_helper.exe\'\n  filter_chrome_frame:\n    Image: \'*\\Google\\Chrome\\application\\\\*\'\n  selection_devemu:\n    Image: \'*\\dvcemumanager.exe\'\n  filter_devemu:\n    Image: \'*\\Microsoft Device Emulator\\\\*\'\n  selection_gadget:\n    Image: \'*\\Gadget.exe\'\n  filter_gadget:\n    Image: \'*\\Windows Media Player\\\\*\'\n  selection_hcc:\n    Image: \'*\\hcc.exe\'\n  filter_hcc:\n    Image: \'*\\HTML Help Workshop\\\\*\'\n  selection_hkcmd:\n    Image: \'*\\hkcmd.exe\'\n  filter_hkcmd:\n    Image:\n    - \'*\\System32\\\\*\'\n    - \'*\\SysNative\\\\*\'\n    - \'*\\SysWowo64\\\\*\'\n  selection_mc:\n    Image: \'*\\Mc.exe\'\n  filter_mc:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n  selection_msmpeng:\n    Image: \'*\\MsMpEng.exe\'\n  filter_msmpeng:\n    Image:\n    - \'*\\Microsoft Security Client\\\\*\'\n    - \'*\\Windows Defender\\\\*\'\n    - \'*\\AntiMalware\\\\*\'\n  selection_msseces:\n    Image: \'*\\msseces.exe\'\n  filter_msseces:\n    Image:\n    - \'*\\Microsoft Security Center\\\\*\'\n    - \'*\\Microsoft Security Client\\\\*\'\n    - \'*\\Microsoft Security Essentials\\\\*\'\n  selection_oinfo:\n    Image: \'*\\OInfoP11.exe\'\n  filter_oinfo:\n    Image: \'*\\Common Files\\Microsoft Shared\\\\*\'\n  selection_oleview:\n    Image: \'*\\OleView.exe\'\n  filter_oleview:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n    - \'*\\Windows Resource Kit\\\\*\'\n  selection_rc:\n    Image: \'*\\rc.exe\'\n  filter_rc:\n    Image:\n    - \'*\\Microsoft Visual Studio*\'\n    - \'*\\Microsoft SDK*\'\n    - \'*\\Windows Kit*\'\n    - \'*\\Windows Resource Kit\\\\*\'\n    - \'*\\Microsoft.NET\\\\*\'\n  condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame\n    and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or\n    ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc\n    ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc\n    ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not\n    filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview\n    and not filter_oleview ) or ( selection_rc and not filter_rc )\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8778,'Issue',486,15,'T1073'),(8779,'Issue',487,1,'Possible Applocker Bypass'),(8780,'Issue',487,2,'juju4'),(8781,'Issue',487,8,'https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\nhttps://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/'),(8782,'Issue',487,10,'low'),(8783,'Issue',487,13,'community'),(8784,'Issue',487,14,'windows'),(8786,'Issue',487,11,'d4a0bad42'),(8787,'Issue',487,12,'82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719'),(8788,'Issue',487,16,'win-proc'),(8789,'Issue',487,17,''),(8790,'Issue',487,7,''),(8791,'Issue',487,3,'Detects execution of executables that can be used to bypass Applocker whitelisting'),(8792,'Issue',487,4,''),(8793,'Issue',487,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nUsing installutil to add features for .NET applications (primarly would occur in developer environments)'),(8794,'Issue',487,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*))\nindex: so-*\nname: Possible Applocker Bypass\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8795,'Issue',487,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Applocker Bypass\nid: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\ndescription: Detects execution of executables that can be used to bypass Applocker\n  whitelisting\nstatus: experimental\nreferences:\n- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\n- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1118\n- attack.t1121\n- attack.t1127\n- attack.t1170\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - \\msdt.exe\n    - \\installutil.exe\n    - \\regsvcs.exe\n    - \\regasm.exe\n    - \\msbuild.exe\n    - \\ieexec.exe\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\n- Using installutil to add features for .NET applications (primarly would occur in\n  developer environments)\nlevel: low\n\n
\n}}'),(8796,'Issue',487,15,'T1118'),(8797,'Issue',487,15,'T1121'),(8798,'Issue',487,15,'T1127'),(8799,'Issue',487,15,'T1170'),(8800,'Issue',488,1,'Detection of Possible Rotten Potato'),(8801,'Issue',488,2,'Teymur Kheirkhabarov'),(8802,'Issue',488,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'),(8803,'Issue',488,10,'high'),(8804,'Issue',488,13,'community'),(8805,'Issue',488,14,'windows'),(8807,'Issue',488,11,'c3d4efb18'),(8808,'Issue',488,12,'6c5808ee-85a2-4e56-8137-72e5876a5096'),(8809,'Issue',488,16,'win-proc'),(8810,'Issue',488,17,''),(8811,'Issue',488,7,''),(8812,'Issue',488,3,'Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges'),(8813,'Issue',488,4,''),(8814,'Issue',488,5,'_False Positives_\nUnknown'),(8815,'Issue',488,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (ParentUser:(\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\" OR \"NT\\ AUTHORITY\\\\LOCAL\\ SERVICE\") AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\") AND (NOT (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*DavSetCookie*)))\nindex: so-*\nname: Detection of Possible Rotten Potato\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8816,'Issue',488,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of Possible Rotten Potato\nid: 6c5808ee-85a2-4e56-8137-72e5876a5096\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n  with LOCAL SERVICE or NETWORK SERVICE privileges\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentUser:\n    - NT AUTHORITY\\NETWORK SERVICE\n    - NT AUTHORITY\\LOCAL SERVICE\n    User: NT AUTHORITY\\SYSTEM\n  rundllexception:\n    Image|endswith: \\rundll32.exe\n    CommandLine|contains: DavSetCookie\n  condition: selection and not rundllexception\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8817,'Issue',488,15,'T1134'),(8818,'Issue',489,1,'Powershell AMSI Bypass via .NET Reflection'),(8819,'Issue',489,2,'Markus Neis'),(8820,'Issue',489,8,'https://twitter.com/mattifestation/status/735261176745988096\nhttps://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120'),(8821,'Issue',489,10,'high'),(8822,'Issue',489,13,'community'),(8823,'Issue',489,14,'windows'),(8825,'Issue',489,11,'b5bdb996a'),(8826,'Issue',489,12,'30edb182-aa75-42c0-b0a9-e998bb29067c'),(8827,'Issue',489,16,'win-proc'),(8828,'Issue',489,17,''),(8829,'Issue',489,7,''),(8830,'Issue',489,3,'Detects Request to amsiInitFailed that can be used to disable AMSI Scanning'),(8831,'Issue',489,4,''),(8832,'Issue',489,5,'_False Positives_\nPotential Admin Activity'),(8833,'Issue',489,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*System.Management.Automation.AmsiUtils*) AND process.command_line.keyword:(*amsiInitFailed*))\nindex: so-*\nname: Powershell AMSI Bypass via .NET Reflection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8834,'Issue',489,9,'{{collapse(View Sigma)\n
\n\ntitle: Powershell AMSI Bypass via .NET Reflection\nid: 30edb182-aa75-42c0-b0a9-e998bb29067c\nstatus: experimental\ndescription: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning\nreferences:\n- https://twitter.com/mattifestation/status/735261176745988096\n- https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/08/17\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'*System.Management.Automation.AmsiUtils*\'\n  selection2:\n    CommandLine:\n    - \'*amsiInitFailed*\'\n  condition: selection1 and selection2\nfalsepositives:\n- Potential Admin Activity\nlevel: high\n\n
\n}}'),(8835,'Issue',489,15,'T1086'),(8836,'Issue',490,1,'Audio Capture via PowerShell'),(8837,'Issue',490,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8838,'Issue',490,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html'),(8839,'Issue',490,10,'medium'),(8840,'Issue',490,13,'community'),(8841,'Issue',490,14,'windows'),(8843,'Issue',490,11,'7f4dc80d2'),(8844,'Issue',490,12,'932fb0d8-692b-4b0f-a26e-5643a50fe7d6'),(8845,'Issue',490,16,'win-proc'),(8846,'Issue',490,17,''),(8847,'Issue',490,7,''),(8848,'Issue',490,3,'Detects audio capture via PowerShell Cmdlet'),(8849,'Issue',490,4,''),(8850,'Issue',490,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(8851,'Issue',490,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*WindowsAudioDevice\\-Powershell\\-Cmdlet*)\nindex: so-*\nname: Audio Capture via PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8852,'Issue',490,9,'{{collapse(View Sigma)\n
\n\ntitle: Audio Capture via PowerShell\nid: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6\ndescription: Detects audio capture via PowerShell Cmdlet\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html\ntags:\n- attack.collection\n- attack.t1123\ndetection:\n  selection:\n    CommandLine|contains: WindowsAudioDevice-Powershell-Cmdlet\n  condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\n\n
\n}}'),(8853,'Issue',490,15,'T1123'),(8854,'Issue',491,1,'PowerShell Base64 Encoded Shellcode'),(8855,'Issue',491,2,'Florian Roth'),(8856,'Issue',491,8,'https://twitter.com/cyb3rops/status/1063072865992523776'),(8857,'Issue',491,10,'critical'),(8858,'Issue',491,13,'community'),(8859,'Issue',491,14,'windows'),(8861,'Issue',491,11,'5d3447e7d'),(8862,'Issue',491,12,'2d117e49-e626-4c7c-bd1f-c3c0147774c8'),(8863,'Issue',491,16,'win-proc'),(8864,'Issue',491,17,''),(8865,'Issue',491,7,''),(8866,'Issue',491,3,'Detects Base64 encoded Shellcode'),(8867,'Issue',491,4,''),(8868,'Issue',491,5,'_False Positives_\nUnknown'),(8869,'Issue',491,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*AAAAYInlM* AND process.command_line.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))\nindex: so-*\nname: PowerShell Base64 Encoded Shellcode\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8870,'Issue',491,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Base64 Encoded Shellcode\nid: 2d117e49-e626-4c7c-bd1f-c3c0147774c8\ndescription: Detects Base64 encoded Shellcode\nstatus: experimental\nreferences:\n- https://twitter.com/cyb3rops/status/1063072865992523776\nauthor: Florian Roth\ndate: 2018/11/17\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*AAAAYInlM*\'\n  selection2:\n    CommandLine:\n    - \'*OiCAAAAYInlM*\'\n    - \'*OiJAAAAYInlM*\'\n  condition: selection1 and selection2\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8871,'Issue',491,15,'T1036'),(8872,'Issue',492,1,'Suspicious Bitsadmin Job via PowerShell'),(8873,'Issue',492,2,'Endgame, JHasenbusch (ported to sigma for oscd.community)'),(8874,'Issue',492,8,'https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md'),(8875,'Issue',492,10,'medium'),(8876,'Issue',492,13,'community'),(8877,'Issue',492,14,'windows'),(8879,'Issue',492,11,'8676c64ae'),(8880,'Issue',492,12,'f67dbfce-93bc-440d-86ad-a95ae8858c90'),(8881,'Issue',492,16,'win-proc'),(8882,'Issue',492,17,''),(8883,'Issue',492,7,''),(8884,'Issue',492,3,'Detect download by BITS jobs via PowerShell'),(8885,'Issue',492,4,''),(8886,'Issue',492,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8887,'Issue',492,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Start\\-BitsTransfer*)\nindex: so-*\nname: Suspicious Bitsadmin Job via PowerShell\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8888,'Issue',492,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Bitsadmin Job via PowerShell\nid: f67dbfce-93bc-440d-86ad-a95ae8858c90\nstatus: experimental\ndescription: Detect download by BITS jobs via PowerShell\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md\nauthor: Endgame, JHasenbusch (ported to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\powershell.exe\n    CommandLine|contains: Start-BitsTransfer\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(8889,'Issue',492,15,'T1197'),(8890,'Issue',493,1,'Detection of PowerShell Execution via DLL'),(8891,'Issue',493,2,'Markus Neis'),(8892,'Issue',493,8,'https://github.com/p3nt4/PowerShdll/blob/master/README.md'),(8893,'Issue',493,10,'high'),(8894,'Issue',493,13,'community'),(8895,'Issue',493,14,'windows'),(8897,'Issue',493,11,'35da2d6b7'),(8898,'Issue',493,12,'6812a10b-60ea-420c-832f-dfcc33b646ba'),(8899,'Issue',493,16,'win-proc'),(8900,'Issue',493,17,''),(8901,'Issue',493,7,''),(8902,'Issue',493,3,'Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll'),(8903,'Issue',493,4,''),(8904,'Issue',493,5,'_False Positives_\nUnknown'),(8905,'Issue',493,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\rundll32.exe) OR process.pe.description.keyword:(*Windows\\-Hostprozess\\ \\(Rundll32\\)*)) AND process.command_line.keyword:(*Default.GetString* OR *FromBase64String*))\nindex: so-*\nname: Detection of PowerShell Execution via DLL\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8906,'Issue',493,9,'{{collapse(View Sigma)\n
\n\ntitle: Detection of PowerShell Execution via DLL\nid: 6812a10b-60ea-420c-832f-dfcc33b646ba\nstatus: experimental\ndescription: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll\nreferences:\n- https://github.com/p3nt4/PowerShdll/blob/master/README.md\ntags:\n- attack.execution\n- attack.t1086\n- car.2014-04-003\nauthor: Markus Neis\ndate: 2018/08/25\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\rundll32.exe\'\n  selection2:\n    Description:\n    - \'*Windows-Hostprozess (Rundll32)*\'\n  selection3:\n    CommandLine:\n    - \'*Default.GetString*\'\n    - \'*FromBase64String*\'\n  condition: (selection1 or selection2) and selection3\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8907,'Issue',493,15,'T1086'),(8908,'Issue',494,1,'PowerShell Downgrade Attack'),(8909,'Issue',494,2,'Harish Segar (rule)'),(8910,'Issue',494,8,'http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/'),(8911,'Issue',494,10,'medium'),(8912,'Issue',494,13,'community'),(8913,'Issue',494,14,'windows'),(8915,'Issue',494,11,'7dd8ab307'),(8916,'Issue',494,12,'b3512211-c67e-4707-bedc-66efc7848863'),(8917,'Issue',494,16,'win-proc'),(8918,'Issue',494,17,''),(8919,'Issue',494,7,''),(8920,'Issue',494,3,'Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0'),(8921,'Issue',494,4,''),(8922,'Issue',494,5,'_False Positives_\nPenetration Test\nUnknown'),(8923,'Issue',494,6,'{{collapse(View ElastAlert Config)\n
\n\n\n
\n}}'),(8924,'Issue',494,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n  - id: 6331d09b-4785-4c13-980f-f96661356249\n    type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n    - Penetration Test\n    - Unknown\nlevel: medium\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: \n            - \' -version 2 \'\n            - \' -versio 2 \'\n            - \' -versi 2 \'\n            - \' -vers 2 \'\n            - \' -ver 2 \'\n            - \' -ve 2 \'        \n        Image|endswith: \'\\powershell.exe\'\n    condition: selection\n\n
\n}}'),(8925,'Issue',494,15,'T1086'),(8926,'Issue',495,1,'PowerShell Download from URL'),(8927,'Issue',495,2,'Florian Roth'),(8928,'Issue',495,8,'none'),(8929,'Issue',495,10,'medium'),(8930,'Issue',495,13,'community'),(8931,'Issue',495,14,'windows'),(8933,'Issue',495,11,'0058be94d'),(8934,'Issue',495,12,'3b6ab547-8ec2-4991-b9d2-2b06702a48d7'),(8935,'Issue',495,16,'win-proc'),(8936,'Issue',495,17,''),(8937,'Issue',495,7,''),(8938,'Issue',495,3,'Detects a Powershell process that contains download commands in its command line string'),(8939,'Issue',495,4,''),(8940,'Issue',495,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8941,'Issue',495,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(*))\nindex: so-*\nname: PowerShell Download from URL\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8942,'Issue',495,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Download from URL\nid: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7\nstatus: experimental\ndescription: Detects a Powershell process that contains download commands in its command\n  line string\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\powershell.exe\'\n    CommandLine:\n    - \'*new-object system.net.webclient).downloadstring(*\'\n    - \'*new-object system.net.webclient).downloadfile(*\'\n    - \'*new-object net.webclient).downloadstring(*\'\n    - \'*new-object net.webclient).downloadfile(*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(8943,'Issue',495,15,'T1086'),(8944,'Issue',496,1,'FromBase64String Command Line'),(8945,'Issue',496,2,'Florian Roth'),(8946,'Issue',496,8,'https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639'),(8947,'Issue',496,10,'high'),(8948,'Issue',496,13,'community'),(8949,'Issue',496,14,'windows'),(8951,'Issue',496,11,'9f0eefc93'),(8952,'Issue',496,12,'e32d4572-9826-4738-b651-95fa63747e8a'),(8953,'Issue',496,16,'win-proc'),(8954,'Issue',496,17,''),(8955,'Issue',496,7,''),(8956,'Issue',496,3,'Detects suspicious FromBase64String expressions in command line arguments'),(8957,'Issue',496,4,''),(8958,'Issue',496,5,'_False Positives_\nAdministrative script libraries'),(8959,'Issue',496,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\:\\:FromBase64String\\(*)\nindex: so-*\nname: FromBase64String Command Line\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8960,'Issue',496,9,'{{collapse(View Sigma)\n
\n\ntitle: FromBase64String Command Line\nid: e32d4572-9826-4738-b651-95fa63747e8a\nstatus: experimental\ndescription: Detects suspicious FromBase64String expressions in command line arguments\nreferences:\n- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639\nauthor: Florian Roth\ndate: 2020/01/29\ntags:\n- attack.t1027\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains: ::FromBase64String(\n  condition: selection\nfalsepositives:\n- Administrative script libraries\nlevel: high\n\n
\n}}'),(8961,'Issue',496,15,'T1027'),(8962,'Issue',497,1,'Suspicious PowerShell Parameter Substring'),(8963,'Issue',497,2,'Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)'),(8964,'Issue',497,8,'http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier'),(8965,'Issue',497,10,'high'),(8966,'Issue',497,13,'community'),(8967,'Issue',497,14,'windows'),(8969,'Issue',497,11,'5e2eb5a76'),(8970,'Issue',497,12,'36210e0d-5b19-485d-a087-c096088885f0'),(8971,'Issue',497,16,'win-proc'),(8972,'Issue',497,17,''),(8973,'Issue',497,7,''),(8974,'Issue',497,3,'Detects suspicious PowerShell invocation with a parameter substring'),(8975,'Issue',497,4,''),(8976,'Issue',497,5,'_False Positives_\nPenetration tests'),(8977,'Issue',497,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\Powershell.exe) AND process.command_line:(\"\\ \\-windowstyle\\ h\\ \" OR \"\\ \\-windowstyl\\ h\" OR \"\\ \\-windowsty\\ h\" OR \"\\ \\-windowst\\ h\" OR \"\\ \\-windows\\ h\" OR \"\\ \\-windo\\ h\" OR \"\\ \\-wind\\ h\" OR \"\\ \\-win\\ h\" OR \"\\ \\-wi\\ h\" OR \"\\ \\-win\\ h\\ \" OR \"\\ \\-win\\ hi\\ \" OR \"\\ \\-win\\ hid\\ \" OR \"\\ \\-win\\ hidd\\ \" OR \"\\ \\-win\\ hidde\\ \" OR \"\\ \\-NoPr\\ \" OR \"\\ \\-NoPro\\ \" OR \"\\ \\-NoProf\\ \" OR \"\\ \\-NoProfi\\ \" OR \"\\ \\-NoProfil\\ \" OR \"\\ \\-nonin\\ \" OR \"\\ \\-nonint\\ \" OR \"\\ \\-noninte\\ \" OR \"\\ \\-noninter\\ \" OR \"\\ \\-nonintera\\ \" OR \"\\ \\-noninterac\\ \" OR \"\\ \\-noninteract\\ \" OR \"\\ \\-noninteracti\\ \" OR \"\\ \\-noninteractiv\\ \" OR \"\\ \\-ec\\ \" OR \"\\ \\-encodedComman\\ \" OR \"\\ \\-encodedComma\\ \" OR \"\\ \\-encodedComm\\ \" OR \"\\ \\-encodedCom\\ \" OR \"\\ \\-encodedCo\\ \" OR \"\\ \\-encodedC\\ \" OR \"\\ \\-encoded\\ \" OR \"\\ \\-encode\\ \" OR \"\\ \\-encod\\ \" OR \"\\ \\-enco\\ \" OR \"\\ \\-en\\ \"))\nindex: so-*\nname: Suspicious PowerShell Parameter Substring\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8978,'Issue',497,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PowerShell Parameter Substring\nid: 36210e0d-5b19-485d-a087-c096088885f0\nstatus: experimental\ndescription: Detects suspicious PowerShell invocation with a parameter substring\nreferences:\n- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\Powershell.exe\'\n    CommandLine:\n    - \' -windowstyle h \'\n    - \' -windowstyl h\'\n    - \' -windowsty h\'\n    - \' -windowst h\'\n    - \' -windows h\'\n    - \' -windo h\'\n    - \' -wind h\'\n    - \' -win h\'\n    - \' -wi h\'\n    - \' -win h \'\n    - \' -win hi \'\n    - \' -win hid \'\n    - \' -win hidd \'\n    - \' -win hidde \'\n    - \' -NoPr \'\n    - \' -NoPro \'\n    - \' -NoProf \'\n    - \' -NoProfi \'\n    - \' -NoProfil \'\n    - \' -nonin \'\n    - \' -nonint \'\n    - \' -noninte \'\n    - \' -noninter \'\n    - \' -nonintera \'\n    - \' -noninterac \'\n    - \' -noninteract \'\n    - \' -noninteracti \'\n    - \' -noninteractiv \'\n    - \' -ec \'\n    - \' -encodedComman \'\n    - \' -encodedComma \'\n    - \' -encodedComm \'\n    - \' -encodedCom \'\n    - \' -encodedCo \'\n    - \' -encodedC \'\n    - \' -encoded \'\n    - \' -encode \'\n    - \' -encod \'\n    - \' -enco \'\n    - \' -en \'\n  condition: selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(8979,'Issue',497,15,'T1086'),(8980,'Issue',498,1,'Suspicious XOR Encoded PowerShell Command Line'),(8981,'Issue',498,2,'Sami Ruohonen'),(8982,'Issue',498,8,'none'),(8983,'Issue',498,10,'medium'),(8984,'Issue',498,13,'community'),(8985,'Issue',498,14,'windows'),(8987,'Issue',498,11,'4d93efac2'),(8988,'Issue',498,12,'bb780e0c-16cf-4383-8383-1e5471db6cf9'),(8989,'Issue',498,16,'win-proc'),(8990,'Issue',498,17,''),(8991,'Issue',498,7,''),(8992,'Issue',498,3,'Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.'),(8993,'Issue',498,4,''),(8994,'Issue',498,5,'_False Positives_\nunknown'),(8995,'Issue',498,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-bxor*))\nindex: so-*\nname: Suspicious XOR Encoded PowerShell Command Line\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(8996,'Issue',498,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious XOR Encoded PowerShell Command Line\nid: bb780e0c-16cf-4383-8383-1e5471db6cf9\ndescription: Detects suspicious powershell process which includes bxor command, alternatvide\n  obfuscation method to b64 encoded commands.\nstatus: experimental\nauthor: Sami Ruohonen\ndate: 2018/09/05\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n  selection:\n    CommandLine:\n    - \'* -bxor*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\n\n
\n}}'),(8997,'Issue',498,15,'T1086'),(8998,'Issue',499,1,'Default PowerSploit and Empire Schtasks Persistence'),(8999,'Issue',499,2,'Markus Neis, @Karneades'),(9000,'Issue',499,8,'https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py'),(9001,'Issue',499,10,'high'),(9002,'Issue',499,13,'community'),(9003,'Issue',499,14,'windows'),(9005,'Issue',499,11,'52c48c3b3'),(9006,'Issue',499,12,'56c217c3-2de2-479b-990f-5c109ba8458f'),(9007,'Issue',499,16,'win-proc'),(9008,'Issue',499,17,''),(9009,'Issue',499,7,''),(9010,'Issue',499,3,'Detects the creation of a schtask via PowerSploit or Empire Default Configuration.'),(9011,'Issue',499,4,''),(9012,'Issue',499,5,'_False Positives_\nFalse positives are possible, depends on organisation and processes'),(9013,'Issue',499,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\powershell.exe) AND process.command_line.keyword:(*schtasks*\\/Create*\\/SC\\ *ONLOGON*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *DAILY*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *ONIDLE*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *Updater*\\/TN\\ *Updater*\\/TR\\ *powershell*))\nindex: so-*\nname: Default PowerSploit and Empire Schtasks Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9014,'Issue',499,9,'{{collapse(View Sigma)\n
\n\ntitle: Default PowerSploit and Empire Schtasks Persistence\nid: 56c217c3-2de2-479b-990f-5c109ba8458f\nstatus: experimental\ndescription: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.\nreferences:\n- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py\nauthor: Markus Neis, @Karneades\ndate: 2018/03/06\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\powershell.exe\'\n    CommandLine:\n    - \'*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*\'\n    - \'*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*\'\n  condition: selection\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.t1086\n- attack.s0111\n- attack.g0022\n- attack.g0060\n- car.2013-08-001\nfalsepositives:\n- False positives are possible, depends on organisation and processes\nlevel: high\n\n
\n}}'),(9015,'Issue',499,15,'T1053'),(9016,'Issue',499,15,'T1086'),(9017,'Issue',500,1,'Windows Processes Suspicious Parent Directory'),(9018,'Issue',500,2,'vburov'),(9019,'Issue',500,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nhttps://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\nhttps://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\nhttps://attack.mitre.org/techniques/T1036/'),(9020,'Issue',500,10,'low'),(9021,'Issue',500,13,'community'),(9022,'Issue',500,14,'windows'),(9024,'Issue',500,11,'c9688cc7f'),(9025,'Issue',500,12,'96036718-71cc-4027-a538-d1587e0006a7'),(9026,'Issue',500,16,'win-proc'),(9027,'Issue',500,17,''),(9028,'Issue',500,7,''),(9029,'Issue',500,3,'Detect suspicious parent processes of well-known Windows processes'),(9030,'Issue',500,4,''),(9031,'Issue',500,5,'_False Positives_\nSome security products seem to spawn these'),(9032,'Issue',500,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\svchost.exe OR *\\\\taskhost.exe OR *\\\\lsm.exe OR *\\\\lsass.exe OR *\\\\services.exe OR *\\\\lsaiso.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\winlogon.exe) AND (NOT (process.parent.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysWOW64\\\\* OR *\\\\SavService.exe OR *\\\\Windows\\ Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Windows Processes Suspicious Parent Directory\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9033,'Issue',500,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Processes Suspicious Parent Directory\nid: 96036718-71cc-4027-a538-d1587e0006a7\nstatus: experimental\ndescription: Detect suspicious parent processes of well-known Windows processes\nauthor: vburov\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\n- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\n- https://attack.mitre.org/techniques/T1036/\ndate: 2019/02/23\nmodified: 2019/08/20\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\svchost.exe\'\n    - \'*\\taskhost.exe\'\n    - \'*\\lsm.exe\'\n    - \'*\\lsass.exe\'\n    - \'*\\services.exe\'\n    - \'*\\lsaiso.exe\'\n    - \'*\\csrss.exe\'\n    - \'*\\wininit.exe\'\n    - \'*\\winlogon.exe\'\n  filter:\n    ParentImage:\n    - \'*\\System32\\\\*\'\n    - \'*\\SysWOW64\\\\*\'\n    - \'*\\SavService.exe\'\n    - \'*\\Windows Defender\\\\*\\MsMpEng.exe\'\n  filter_null:\n    ParentImage:\n  condition: selection and not filter and not filter_null\nfalsepositives:\n- Some security products seem to spawn these\nlevel: low\n\n
\n}}'),(9034,'Issue',500,15,'T1036'),(9035,'Issue',501,1,'Bitsadmin Download'),(9036,'Issue',501,2,'Michael Haag'),(9037,'Issue',501,8,'https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\nhttps://isc.sans.edu/diary/22264'),(9038,'Issue',501,10,'medium'),(9039,'Issue',501,13,'community'),(9040,'Issue',501,14,'windows'),(9042,'Issue',501,11,'0859ceb13'),(9043,'Issue',501,12,'d059842b-6b9d-4ed1-b5c3-5b89143c6ede'),(9044,'Issue',501,16,'win-proc'),(9045,'Issue',501,17,''),(9046,'Issue',501,7,''),(9047,'Issue',501,3,'Detects usage of bitsadmin downloading a file'),(9048,'Issue',501,4,''),(9049,'Issue',501,5,'_False Positives_\nSome legitimate apps use this, but limited.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9050,'Issue',501,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\bitsadmin.exe) AND process.command_line.keyword:(*\\ \\/transfer\\ *)) OR process.command_line.keyword:(*copy\\ bitsadmin.exe*)))\nindex: so-*\nname: Bitsadmin Download\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9051,'Issue',501,9,'{{collapse(View Sigma)\n
\n\ntitle: Bitsadmin Download\nid: d059842b-6b9d-4ed1-b5c3-5b89143c6ede\nstatus: experimental\ndescription: Detects usage of bitsadmin downloading a file\nreferences:\n- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n- https://isc.sans.edu/diary/22264\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\n- attack.s0190\ndate: 2017/03/09\nmodified: 2019/12/06\nauthor: Michael Haag\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image:\n    - \'*\\bitsadmin.exe\'\n    CommandLine:\n    - \'* /transfer *\'\n  selection2:\n    CommandLine:\n    - \'*copy bitsadmin.exe*\'\n  condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Some legitimate apps use this, but limited.\nlevel: medium\n\n
\n}}'),(9052,'Issue',501,15,'T1197'),(9053,'Issue',502,1,'Process Dump via Rundll32 and Comsvcs.dll'),(9054,'Issue',502,2,'Florian Roth'),(9055,'Issue',502,8,'https://twitter.com/shantanukhande/status/1229348874298388484'),(9056,'Issue',502,10,'high'),(9057,'Issue',502,13,'community'),(9058,'Issue',502,14,'windows'),(9060,'Issue',502,11,'f4af737c0'),(9061,'Issue',502,12,'646ea171-dded-4578-8a4d-65e9822892e3'),(9062,'Issue',502,16,'win-proc'),(9063,'Issue',502,17,''),(9064,'Issue',502,7,''),(9065,'Issue',502,3,'Detects a process memory dump performed via ordinal function 24 in comsvcs.dll'),(9066,'Issue',502,4,''),(9067,'Issue',502,5,'_False Positives_\nUnlikely, because no one should dump the process memory in that way'),(9068,'Issue',502,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*))\nindex: so-*\nname: Process Dump via Rundll32 and Comsvcs.dll\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9069,'Issue',502,9,'{{collapse(View Sigma)\n
\n\ntitle: Process Dump via Rundll32 and Comsvcs.dll\nid: 646ea171-dded-4578-8a4d-65e9822892e3\ndescription: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll\nstatus: experimental\nreferences:\n- https://twitter.com/shantanukhande/status/1229348874298388484\nauthor: Florian Roth\ndate: 2020/02/18\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - comsvcs.dll,#24\n    - comsvcs.dll,MiniDump\n  condition: selection\nfalsepositives:\n- Unlikely, because no one should dump the process memory in that way\nlevel: high\n\n
\n}}'),(9070,'Issue',502,15,'T1036'),(9071,'Issue',502,15,'T1003'),(9072,'Issue',503,1,'PsExec Service Start'),(9073,'Issue',503,2,'Florian Roth'),(9074,'Issue',503,8,'none'),(9075,'Issue',503,10,'low'),(9076,'Issue',503,13,'community'),(9077,'Issue',503,14,'windows'),(9079,'Issue',503,11,'15de28714'),(9080,'Issue',503,12,'3ede524d-21cc-472d-a3ce-d21b568d8db7'),(9081,'Issue',503,16,'win-proc'),(9082,'Issue',503,17,''),(9083,'Issue',503,7,''),(9084,'Issue',503,3,'Detects a PsExec service start'),(9085,'Issue',503,4,''),(9086,'Issue',503,5,'_False Positives_\nAdministrative activity'),(9087,'Issue',503,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ProcessCommandLine:\"C\\:\\\\Windows\\\\PSEXESVC.exe\")\nindex: so-*\nname: PsExec Service Start\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9088,'Issue',503,9,'{{collapse(View Sigma)\n
\n\ntitle: PsExec Service Start\nid: 3ede524d-21cc-472d-a3ce-d21b568d8db7\ndescription: Detects a PsExec service start\nauthor: Florian Roth\ndate: 2018/03/13\nmodified: 2012/12/11\ntags:\n- attack.execution\n- attack.t1035\n- attack.s0029\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ProcessCommandLine: C:\\Windows\\PSEXESVC.exe\n  condition: selection\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(9089,'Issue',503,15,'T1035'),(9090,'Issue',504,1,'Query Registry'),(9091,'Issue',504,2,'Timur Zinniatullin, oscd.community'),(9092,'Issue',504,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml'),(9093,'Issue',504,10,'low'),(9094,'Issue',504,13,'community'),(9095,'Issue',504,14,'windows'),(9097,'Issue',504,11,'05ee88dcb'),(9098,'Issue',504,12,'970007b7-ce32-49d0-a4a4-fbef016950bd'),(9099,'Issue',504,16,'win-proc'),(9100,'Issue',504,17,''),(9101,'Issue',504,7,''),(9102,'Issue',504,3,'Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.'),(9103,'Issue',504,4,''),(9104,'Issue',504,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(9105,'Issue',504,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:(*query* OR *save* OR *export*) AND process.command_line.keyword:(*currentVersion\\\\windows* OR *currentVersion\\\\runServicesOnce* OR *currentVersion\\\\runServices* OR *winlogon\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\runOnce* OR *currentVersion\\\\runOnceEx* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))\nindex: so-*\nname: Query Registry\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9106,'Issue',504,9,'{{collapse(View Sigma)\n
\n\ntitle: Query Registry\nid: 970007b7-ce32-49d0-a4a4-fbef016950bd\nstatus: experimental\ndescription: Adversaries may interact with the Windows Registry to gather information\n  about the system, configuration, and installed software.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\reg.exe\n    CommandLine|contains:\n    - query\n    - save\n    - export\n  selection_2:\n    CommandLine|contains:\n    - currentVersion\\windows\n    - currentVersion\\runServicesOnce\n    - currentVersion\\runServices\n    - winlogon\\\n    - currentVersion\\shellServiceObjectDelayLoad\n    - currentVersion\\runOnce\n    - currentVersion\\runOnceEx\n    - currentVersion\\run\n    - currentVersion\\policies\\explorer\\run\n    - currentcontrolset\\services\n  condition: selection_1 and selection_2\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.discovery\n- attack.t1012\n- attack.t1007\n\n
\n}}'),(9107,'Issue',504,15,'T1012'),(9108,'Issue',504,15,'T1007'),(9109,'Issue',505,1,'MSTSC Shadowing'),(9110,'Issue',505,2,'Florian Roth'),(9111,'Issue',505,8,'https://twitter.com/kmkz_security/status/1220694202301976576\nhttps://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet'),(9112,'Issue',505,10,'high'),(9113,'Issue',505,13,'community'),(9114,'Issue',505,14,'windows'),(9115,'Issue',505,15,''),(9116,'Issue',505,11,'8c3dc3ef9'),(9117,'Issue',505,12,'6ba5a05f-b095-4f0a-8654-b825f4f16334'),(9118,'Issue',505,16,'win-proc'),(9119,'Issue',505,17,''),(9120,'Issue',505,7,''),(9121,'Issue',505,3,'Detects RDP session hijacking by using MSTSC shadowing'),(9122,'Issue',505,4,''),(9123,'Issue',505,5,'_False Positives_\nUnknown'),(9124,'Issue',505,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*noconsentprompt* AND process.command_line.keyword:*shadow\\:*)\nindex: so-*\nname: MSTSC Shadowing\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9125,'Issue',505,9,'{{collapse(View Sigma)\n
\n\ntitle: MSTSC Shadowing\nid: 6ba5a05f-b095-4f0a-8654-b825f4f16334\ndescription: Detects RDP session hijacking by using MSTSC shadowing\nstatus: experimental\nauthor: Florian Roth\ndate: 2020/01/24\nreferences:\n- https://twitter.com/kmkz_security/status/1220694202301976576\n- https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - noconsentprompt\n    - \'shadow:\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9126,'Issue',506,1,'Remote PowerShell Session'),(9127,'Issue',506,2,'Roberto Rodriguez @Cyb3rWard0g'),(9128,'Issue',506,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(9129,'Issue',506,10,'medium'),(9130,'Issue',506,13,'community'),(9131,'Issue',506,14,'windows'),(9133,'Issue',506,11,'fe42832a8'),(9134,'Issue',506,12,'734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8'),(9135,'Issue',506,16,'win-proc'),(9136,'Issue',506,17,''),(9137,'Issue',506,7,''),(9138,'Issue',506,3,'Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)'),(9139,'Issue',506,4,''),(9140,'Issue',506,5,'_False Positives_\nLegitimate usage of remote Powershell, e.g. for monitoring purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9141,'Issue',506,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\wsmprovhost.exe OR process.parent.executable.keyword:*\\\\wsmprovhost.exe))\nindex: so-*\nname: Remote PowerShell Session\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9142,'Issue',506,9,'{{collapse(View Sigma)\n
\n\ntitle: Remote PowerShell Session\nid: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8\ndescription: Detects remote PowerShell sections by monitoring for wsmprovhost as a\n  parent or child process (sign of an active ps remote session)\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\wsmprovhost.exe\n  - ParentImage|endswith: \\wsmprovhost.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate usage of remote Powershell, e.g. for monitoring purposes\nlevel: medium\n\n
\n}}'),(9143,'Issue',506,15,'T1086'),(9144,'Issue',507,1,'Discovery of a System Time'),(9145,'Issue',507,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9146,'Issue',507,8,'https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md'),(9147,'Issue',507,10,'low'),(9148,'Issue',507,13,'community'),(9149,'Issue',507,14,'windows'),(9151,'Issue',507,11,'9639546cc'),(9152,'Issue',507,12,'b243b280-65fe-48df-ba07-6ddea7646427'),(9153,'Issue',507,16,'win-proc'),(9154,'Issue',507,17,''),(9155,'Issue',507,7,''),(9156,'Issue',507,3,'Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.'),(9157,'Issue',507,4,''),(9158,'Issue',507,5,'_False Positives_\nLegitimate use of the system utilities to discover system time for legitimate reason'),(9159,'Issue',507,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*time*) OR (process.executable.keyword:*\\\\w32tm.exe AND process.command_line.keyword:*tz*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Date*)))\nindex: so-*\nname: Discovery of a System Time\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9160,'Issue',507,9,'{{collapse(View Sigma)\n
\n\ntitle: Discovery of a System Time\nid: b243b280-65fe-48df-ba07-6ddea7646427\ndescription: Identifies use of various commands to query a systems time. This technique\n  may be used before executing a scheduled task or to discover the time zone of a\n  target system.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md\ntags:\n- attack.discovery\n- attack.t1124\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: time\n  - Image|endswith: \\w32tm.exe\n    CommandLine|contains: tz\n  - Image|endswith: \\powershell.exe\n    CommandLine|contains: Get-Date\n  condition: selection\nfalsepositives:\n- Legitimate use of the system utilities to discover system time for legitimate reason\nlevel: low\n\n
\n}}'),(9161,'Issue',507,15,'T1124'),(9162,'Issue',508,1,'Renamed Binary'),(9163,'Issue',508,2,'Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)'),(9164,'Issue',508,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9165,'Issue',508,10,'medium'),(9166,'Issue',508,13,'community'),(9167,'Issue',508,14,'windows'),(9169,'Issue',508,11,'b585cbf22'),(9170,'Issue',508,12,'36480ae1-a1cb-4eaa-a0d6-29801d7e9142'),(9171,'Issue',508,16,'win-proc'),(9172,'Issue',508,17,''),(9173,'Issue',508,7,''),(9174,'Issue',508,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9175,'Issue',508,4,''),(9176,'Issue',508,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9177,'Issue',508,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"cmd.exe\" OR \"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\" OR \"7z.exe\" OR \"winrar.exe\" OR \"wevtutil.exe\" OR \"net.exe\" OR \"net1.exe\") AND (NOT (process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe OR *\\\\7z.exe OR *\\\\winrar.exe OR *\\\\wevtutil.exe OR *\\\\net.exe OR *\\\\net1.exe))))\nindex: so-*\nname: Renamed Binary\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9178,'Issue',508,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n    - https://attack.mitre.org/techniques/T1036/\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n    - attack.t1036\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - \'cmd.exe\'\n            - \'powershell.exe\'\n            - \'powershell_ise.exe\'\n            - \'psexec.exe\'\n            - \'psexec.c\'  # old versions of psexec (2016 seen)\n            - \'cscript.exe\'\n            - \'wscript.exe\'\n            - \'mshta.exe\'\n            - \'regsvr32.exe\'\n            - \'wmic.exe\'\n            - \'certutil.exe\'\n            - \'rundll32.exe\'\n            - \'cmstp.exe\'\n            - \'msiexec.exe\'\n            - \'7z.exe\'\n            - \'winrar.exe\'\n            - \'wevtutil.exe\'\n            - \'net.exe\'\n            - \'net1.exe\'\n            - \'netsh.exe\'\n    filter:\n        Image|endswith:\n            - \'\\cmd.exe\'\n            - \'\\powershell.exe\'\n            - \'\\powershell_ise.exe\'\n            - \'\\psexec.exe\'\n            - \'\\psexec64.exe\'\n            - \'\\cscript.exe\'\n            - \'\\wscript.exe\'\n            - \'\\mshta.exe\'\n            - \'\\regsvr32.exe\'\n            - \'\\wmic.exe\'\n            - \'\\certutil.exe\'\n            - \'\\rundll32.exe\'\n            - \'\\cmstp.exe\'\n            - \'\\msiexec.exe\'\n            - \'\\7z.exe\'\n            - \'\\winrar.exe\'\n            - \'\\wevtutil.exe\'\n            - \'\\net.exe\'\n            - \'\\net1.exe\'\n            - \'\\netsh.exe\'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(9179,'Issue',508,15,'T1036'),(9180,'Issue',509,1,'Highly Relevant Renamed Binary'),(9181,'Issue',509,2,'Matthew Green - @mgreen27, Florian Roth'),(9182,'Issue',509,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9183,'Issue',509,10,'high'),(9184,'Issue',509,13,'community'),(9185,'Issue',509,14,'windows'),(9187,'Issue',509,11,'11b349716'),(9188,'Issue',509,12,'0ba1da6d-b6ce-4366-828c-18826c9de23e'),(9189,'Issue',509,16,'win-proc'),(9190,'Issue',509,17,''),(9191,'Issue',509,7,''),(9192,'Issue',509,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9193,'Issue',509,4,''),(9194,'Issue',509,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9195,'Issue',509,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe))))\nindex: so-*\nname: Highly Relevant Renamed Binary\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9196,'Issue',509,9,'{{collapse(View Sigma)\n
\n\ntitle: Highly Relevant Renamed Binary\nid: 0ba1da6d-b6ce-4366-828c-18826c9de23e\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n  malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Florian Roth\ndate: 2019/06/15\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - powershell.exe\n    - powershell_ise.exe\n    - psexec.exe\n    - psexec.c\n    - cscript.exe\n    - wscript.exe\n    - mshta.exe\n    - regsvr32.exe\n    - wmic.exe\n    - certutil.exe\n    - rundll32.exe\n    - cmstp.exe\n    - msiexec.exe\n  filter:\n    Image:\n    - \'*\\powershell.exe\'\n    - \'*\\powershell_ise.exe\'\n    - \'*\\psexec.exe\'\n    - \'*\\psexec64.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\mshta.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\wmic.exe\'\n    - \'*\\certutil.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\cmstp.exe\'\n    - \'*\\msiexec.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n  this is easy to spot and add to whitelist\nlevel: high\n\n
\n}}'),(9197,'Issue',509,15,'T1036'),(9198,'Issue',510,1,'Execution of Renamed PaExec'),(9199,'Issue',510,2,'Jason Lynch'),(9200,'Issue',510,8,'sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\nhttps://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf'),(9201,'Issue',510,10,'medium'),(9202,'Issue',510,13,'community'),(9203,'Issue',510,14,'windows'),(9205,'Issue',510,11,'53a0f9acd'),(9206,'Issue',510,12,'7b0666ad-3e38-4e3d-9bab-78b06de85f7b'),(9207,'Issue',510,16,'win-proc'),(9208,'Issue',510,17,''),(9209,'Issue',510,7,''),(9210,'Issue',510,3,'Detects execution of renamed paexec via imphash and executable product string'),(9211,'Issue',510,4,''),(9212,'Issue',510,5,'_False Positives_\nUnknown imphashes'),(9213,'Issue',510,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.product.keyword:(*PAExec*) AND event_data.Imphash:(\"11D40A7B7876288F919AB819CC2D9802\" OR \"6444f8a34e99b8f7d9647de66aabe516\" OR \"dfd6aa3f7b2b1035b76b718f1ddc689f\" OR \"1a6cca4d5460b1710a12dea39e4a592c\")) AND (NOT (process.executable.keyword:*paexec*)))\nindex: so-*\nname: Execution of Renamed PaExec\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9214,'Issue',510,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution of Renamed PaExec\nid: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\nstatus: experimental\ndescription: Detects execution of renamed paexec via imphash and executable product\n  string\nreferences:\n- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\n- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\ntags:\n- attack.defense_evasion\n- attack.t1036\n- FIN7\n- car.2013-05-009\ndate: 2019/04/17\nauthor: Jason Lynch\nfalsepositives:\n- Unknown imphashes\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Product:\n    - \'*PAExec*\'\n  selection2:\n    Imphash:\n    - 11D40A7B7876288F919AB819CC2D9802\n    - 6444f8a34e99b8f7d9647de66aabe516\n    - dfd6aa3f7b2b1035b76b718f1ddc689f\n    - 1a6cca4d5460b1710a12dea39e4a592c\n  filter1:\n    Image: \'*paexec*\'\n  condition: (selection1 and selection2) and not filter1\n\n
\n}}'),(9215,'Issue',510,15,'T1036'),(9216,'Issue',511,1,'Run PowerShell Script from ADS'),(9217,'Issue',511,2,'Sergey Soldatov, Kaspersky Lab, oscd.community'),(9218,'Issue',511,8,'https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1'),(9219,'Issue',511,10,'high'),(9220,'Issue',511,13,'community'),(9221,'Issue',511,14,'windows'),(9223,'Issue',511,11,'3297ebd01'),(9224,'Issue',511,12,'45a594aa-1fbd-4972-a809-ff5a99dd81b8'),(9225,'Issue',511,16,'win-proc'),(9226,'Issue',511,17,''),(9227,'Issue',511,7,''),(9228,'Issue',511,3,'Detects PowerShell script execution from Alternate Data Stream (ADS)'),(9229,'Issue',511,4,''),(9230,'Issue',511,5,'_False Positives_\nUnknown'),(9231,'Issue',511,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\powershell.exe AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Content* AND process.command_line.keyword:*\\-Stream*)\nindex: so-*\nname: Run PowerShell Script from ADS\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9232,'Issue',511,9,'{{collapse(View Sigma)\n
\n\ntitle: Run PowerShell Script from ADS\nid: 45a594aa-1fbd-4972-a809-ff5a99dd81b8\nstatus: experimental\ndescription: Detects PowerShell script execution from Alternate Data Stream (ADS)\nreferences:\n- https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1\nauthor: Sergey Soldatov, Kaspersky Lab, oscd.community\ndate: 2019/10/30\ntags:\n- attack.defense_evasion\n- attack.t1096\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\powershell.exe\n    Image|endswith: \\powershell.exe\n    CommandLine|contains|all:\n    - Get-Content\n    - -Stream\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9233,'Issue',511,15,'T1096'),(9234,'Issue',512,1,'Possible Shim Database Persistence via sdbinst.exe'),(9235,'Issue',512,2,'Markus Neis'),(9236,'Issue',512,8,'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html'),(9237,'Issue',512,10,'high'),(9238,'Issue',512,13,'community'),(9239,'Issue',512,14,'windows'),(9241,'Issue',512,11,'1f62648d2'),(9242,'Issue',512,12,'517490a7-115a-48c6-8862-1a481504d5a8'),(9243,'Issue',512,16,'win-proc'),(9244,'Issue',512,17,''),(9245,'Issue',512,7,''),(9246,'Issue',512,3,'Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.'),(9247,'Issue',512,4,''),(9248,'Issue',512,5,'_False Positives_\nUnknown'),(9249,'Issue',512,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sdbinst.exe) AND process.command_line.keyword:(*.sdb*))\nindex: so-*\nname: Possible Shim Database Persistence via sdbinst.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9250,'Issue',512,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Shim Database Persistence via sdbinst.exe\nid: 517490a7-115a-48c6-8862-1a481504d5a8\nstatus: experimental\ndescription: Detects installation of a new shim using sdbinst.exe. A shim can be used\n  to load malicious DLLs into applications.\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\ntags:\n- attack.persistence\n- attack.t1138\nauthor: Markus Neis\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\sdbinst.exe\'\n    CommandLine:\n    - \'*.sdb*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9251,'Issue',512,15,'T1138'),(9252,'Issue',513,1,'Service Execution'),(9253,'Issue',513,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(9254,'Issue',513,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml'),(9255,'Issue',513,10,'low'),(9256,'Issue',513,13,'community'),(9257,'Issue',513,14,'windows'),(9259,'Issue',513,11,'0313836b2'),(9260,'Issue',513,12,'2a072a96-a086-49fa-bcb5-15cc5a619093'),(9261,'Issue',513,16,'win-proc'),(9262,'Issue',513,17,''),(9263,'Issue',513,7,''),(9264,'Issue',513,3,'Detects manual service execution (start) via system utilities'),(9265,'Issue',513,4,''),(9266,'Issue',513,5,'_False Positives_\nLegitimate administrator or user executes a service for legitimate reason'),(9267,'Issue',513,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*\\ start\\ *)\nindex: so-*\nname: Service Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9268,'Issue',513,9,'{{collapse(View Sigma)\n
\n\ntitle: Service Execution\nid: 2a072a96-a086-49fa-bcb5-15cc5a619093\nstatus: experimental\ndescription: Detects manual service execution (start) via system utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: \' start \'\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user executes a service for legitimate reason\nlevel: low\ntags:\n- attack.execution\n- attack.t1035\n\n
\n}}'),(9269,'Issue',513,15,'T1035'),(9270,'Issue',514,1,'Stop Windows Service'),(9271,'Issue',514,2,'Jakob Weinzettl, oscd.community'),(9272,'Issue',514,8,'none'),(9273,'Issue',514,10,'low'),(9274,'Issue',514,13,'community'),(9275,'Issue',514,14,'windows'),(9277,'Issue',514,11,'f5cf59506'),(9278,'Issue',514,12,'eb87818d-db5d-49cc-a987-d5da331fbd90'),(9279,'Issue',514,16,'win-proc'),(9280,'Issue',514,17,''),(9281,'Issue',514,7,''),(9282,'Issue',514,3,'Detects a windows service to be stopped'),(9283,'Issue',514,4,''),(9284,'Issue',514,5,'_False Positives_\nAdministrator shutting down the service due to upgrade or removal purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9285,'Issue',514,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sc.exe OR *\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*stop*)\nindex: so-*\nname: Stop Windows Service\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9286,'Issue',514,9,'{{collapse(View Sigma)\n
\n\ntitle: Stop Windows Service\nid: eb87818d-db5d-49cc-a987-d5da331fbd90\ndescription: Detects a windows service to be stopped\nstatus: experimental\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.impact\n- attack.t1489\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith:\n    - \\sc.exe\n    - \\net.exe\n    - \\net1.exe\n    CommandLine|contains: stop\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Administrator shutting down the service due to upgrade or removal purposes\nlevel: low\n\n
\n}}'),(9287,'Issue',514,15,'T1489'),(9288,'Issue',515,1,'Shadow Copies Access via Symlink'),(9289,'Issue',515,2,'Teymur Kheirkhabarov, oscd.community'),(9290,'Issue',515,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(9291,'Issue',515,10,'medium'),(9292,'Issue',515,13,'community'),(9293,'Issue',515,14,'windows'),(9295,'Issue',515,11,'42af87c98'),(9296,'Issue',515,12,'40b19fa6-d835-400c-b301-41f3a2baacaf'),(9297,'Issue',515,16,'win-proc'),(9298,'Issue',515,17,''),(9299,'Issue',515,7,''),(9300,'Issue',515,3,'Shadow Copies storage symbolic link creation using operating systems utilities'),(9301,'Issue',515,4,''),(9302,'Issue',515,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9303,'Issue',515,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*mklink* AND process.command_line.keyword:*HarddiskVolumeShadowCopy*)\nindex: so-*\nname: Shadow Copies Access via Symlink\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9304,'Issue',515,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Access via Symlink\nid: 40b19fa6-d835-400c-b301-41f3a2baacaf\ndescription: Shadow Copies storage symbolic link creation using operating systems\n  utilities\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - mklink\n    - HarddiskVolumeShadowCopy\n  condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9305,'Issue',515,15,'T1003'),(9306,'Issue',516,1,'Shadow Copies Creation Using Operating Systems Utilities'),(9307,'Issue',516,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9308,'Issue',516,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/'),(9309,'Issue',516,10,'medium'),(9310,'Issue',516,13,'community'),(9311,'Issue',516,14,'windows'),(9313,'Issue',516,11,'8093daa95'),(9314,'Issue',516,12,'b17ea6f7-6e90-447e-a799-e6c0a493d6ce'),(9315,'Issue',516,16,'win-proc'),(9316,'Issue',516,17,''),(9317,'Issue',516,7,''),(9318,'Issue',516,3,'Shadow Copies creation using operating systems utilities, possible credential access'),(9319,'Issue',516,4,''),(9320,'Issue',516,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9321,'Issue',516,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*create*)\nindex: so-*\nname: Shadow Copies Creation Using Operating Systems Utilities\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9322,'Issue',516,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Creation Using Operating Systems Utilities\nid: b17ea6f7-6e90-447e-a799-e6c0a493d6ce\ndescription: Shadow Copies creation using operating systems utilities, possible credential\n  access\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\powershell.exe\n    - \\wmic.exe\n    - \\vssadmin.exe\n    CommandLine|contains|all:\n    - shadow\n    - create\n  condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9323,'Issue',516,15,'T1003'),(9324,'Issue',517,1,'Shadow Copies Deletion Using Operating Systems Utilities'),(9325,'Issue',517,2,'Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9326,'Issue',517,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://blog.talosintelligence.com/2017/05/wannacry.html\nhttps://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\nhttps://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\nhttps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(9327,'Issue',517,10,'critical'),(9328,'Issue',517,13,'community'),(9329,'Issue',517,14,'windows'),(9331,'Issue',517,11,'afac78337'),(9332,'Issue',517,12,'c947b146-0abc-4c87-9c64-b17e9d7274a2'),(9333,'Issue',517,16,'win-proc'),(9334,'Issue',517,17,''),(9335,'Issue',517,7,''),(9336,'Issue',517,3,'Shadow Copies deletion using operating systems utilities'),(9337,'Issue',517,4,''),(9338,'Issue',517,5,'_False Positives_\nLegitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9339,'Issue',517,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*delete*)\nindex: so-*\nname: Shadow Copies Deletion Using Operating Systems Utilities\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9340,'Issue',517,9,'{{collapse(View Sigma)\n
\n\ntitle: Shadow Copies Deletion Using Operating Systems Utilities\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\nstatus: stable\ndescription: Shadow Copies deletion using operating systems utilities\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://blog.talosintelligence.com/2017/05/wannacry.html\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\ntags:\n- attack.defense_evasion\n- attack.impact\n- attack.t1070\n- attack.t1490\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName|endswith:\n    - \\powershell.exe\n    - \\wmic.exe\n    - \\vssadmin.exe\n    CommandLine|contains|all:\n    - shadow\n    - delete\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate Administrator deletes Shadow Copies using operating systems utilities\n  for legitimate reason\nlevel: critical\n\n
\n}}'),(9341,'Issue',517,15,'T1070'),(9342,'Issue',517,15,'T1490'),(9343,'Issue',518,1,'Windows Shell Spawning Suspicious Program'),(9344,'Issue',518,2,'Florian Roth'),(9345,'Issue',518,8,'https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(9346,'Issue',518,10,'high'),(9347,'Issue',518,13,'community'),(9348,'Issue',518,14,'windows'),(9350,'Issue',518,11,'cbf52c91d'),(9351,'Issue',518,12,'3a6586ad-127a-4d3b-a677-1e6eacdf8fde'),(9352,'Issue',518,16,'win-proc'),(9353,'Issue',518,17,''),(9354,'Issue',518,7,''),(9355,'Issue',518,3,'Detects a suspicious child process of a Windows shell'),(9356,'Issue',518,4,''),(9357,'Issue',518,5,'_False Positives_\nAdministrative scripts\nMicrosoft SCCM\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9358,'Issue',518,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\mshta.exe OR *\\\\powershell.exe OR *\\\\rundll32.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\schtasks.exe OR *\\\\nslookup.exe OR *\\\\certutil.exe OR *\\\\bitsadmin.exe OR *\\\\mshta.exe)) AND (NOT (process.working_directory\".keyword:*\\\\ccmcache\\\\*)))\nindex: so-*\nname: Windows Shell Spawning Suspicious Program\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9359,'Issue',518,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows Shell Spawning Suspicious Program\nid: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde\nstatus: experimental\ndescription: Detects a suspicious child process of a Windows shell\nreferences:\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nauthor: Florian Roth\ndate: 2018/04/06\nmodified: 2019/02/05\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\mshta.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\wscript.exe\'\n    - \'*\\wmiprvse.exe\'\n    Image:\n    - \'*\\schtasks.exe\'\n    - \'*\\nslookup.exe\'\n    - \'*\\certutil.exe\'\n    - \'*\\bitsadmin.exe\'\n    - \'*\\mshta.exe\'\n  falsepositives:\n    CurrentDirectory: \'*\\ccmcache\\\\*\'\n  condition: selection and not falsepositives\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\n- Microsoft SCCM\nlevel: high\n\n
\n}}'),(9360,'Issue',518,15,'T1064'),(9361,'Issue',519,1,'Audio Capture via SoundRecorder'),(9362,'Issue',519,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9363,'Issue',519,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html'),(9364,'Issue',519,10,'medium'),(9365,'Issue',519,13,'community'),(9366,'Issue',519,14,'windows'),(9368,'Issue',519,11,'cb34e0e58'),(9369,'Issue',519,12,'83865853-59aa-449e-9600-74b9d89a6d6e'),(9370,'Issue',519,16,'win-proc'),(9371,'Issue',519,17,''),(9372,'Issue',519,7,''),(9373,'Issue',519,3,'Detect attacker collecting audio via SoundRecorder application'),(9374,'Issue',519,4,''),(9375,'Issue',519,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(9376,'Issue',519,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\SoundRecorder.exe AND process.command_line.keyword:*\\/FILE*)\nindex: so-*\nname: Audio Capture via SoundRecorder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9377,'Issue',519,9,'{{collapse(View Sigma)\n
\n\ntitle: Audio Capture via SoundRecorder\nid: 83865853-59aa-449e-9600-74b9d89a6d6e\ndescription: Detect attacker collecting audio via SoundRecorder application\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html\ntags:\n- attack.collection\n- attack.t1123\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\SoundRecorder.exe\n    CommandLine|contains: /FILE\n  condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\n\n
\n}}'),(9378,'Issue',519,15,'T1123'),(9379,'Issue',520,1,'Possible SPN Enumeration'),(9380,'Issue',520,2,'Markus Neis, keepwatch'),(9381,'Issue',520,8,'https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation'),(9382,'Issue',520,10,'medium'),(9383,'Issue',520,13,'community'),(9384,'Issue',520,14,'windows'),(9386,'Issue',520,11,'f2f2e56bb'),(9387,'Issue',520,12,'1eeed653-dbc8-4187-ad0c-eeebb20e6599'),(9388,'Issue',520,16,'win-proc'),(9389,'Issue',520,17,''),(9390,'Issue',520,7,''),(9391,'Issue',520,3,'Detects Service Principal Name Enumeration used for Kerberoasting'),(9392,'Issue',520,4,''),(9393,'Issue',520,5,'_False Positives_\nAdministrator Activity'),(9394,'Issue',520,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\setspn.exe OR process.pe.description.keyword:*Query\\ or\\ reset\\ the\\ computer*\\ SPN\\ attribute*) AND process.command_line.keyword:*\\-q*)\nindex: so-*\nname: Possible SPN Enumeration\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9395,'Issue',520,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible SPN Enumeration\nid: 1eeed653-dbc8-4187-ad0c-eeebb20e6599\ndescription: Detects Service Principal Name Enumeration used for Kerberoasting\nstatus: experimental\nreferences:\n- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation\nauthor: Markus Neis, keepwatch\ndate: 2018/11/14\ntags:\n- attack.credential_access\n- attack.t1208\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_image:\n    Image: \'*\\setspn.exe\'\n  selection_desc:\n    Description: \'*Query or reset the computer* SPN attribute*\'\n  cmd:\n    CommandLine: \'*-q*\'\n  condition: (selection_image or selection_desc) and cmd\nfalsepositives:\n- Administrator Activity\nlevel: medium\n\n
\n}}'),(9396,'Issue',520,15,'T1208'),(9397,'Issue',521,1,'Possible Ransomware or Unauthorized MBR Modifications'),(9398,'Issue',521,2,'@neu5ron'),(9399,'Issue',521,8,'https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set'),(9400,'Issue',521,10,'medium'),(9401,'Issue',521,13,'community'),(9402,'Issue',521,14,'windows'),(9404,'Issue',521,11,'09cf8bf91'),(9405,'Issue',521,12,'c9fbe8e9-119d-40a6-9b59-dd58a5d84429'),(9406,'Issue',521,16,'win-proc'),(9407,'Issue',521,17,''),(9408,'Issue',521,7,''),(9409,'Issue',521,3,'Detects, possibly, malicious unauthorized usage of bcdedit.exe'),(9410,'Issue',521,4,''),(9411,'Issue',521,5,'_False Positives_\n Unknown'),(9412,'Issue',521,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* OR *deletevalue* OR *import*))\nindex: so-*\nname: Possible Ransomware or Unauthorized MBR Modifications\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9413,'Issue',521,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Ransomware or Unauthorized MBR Modifications\nid: c9fbe8e9-119d-40a6-9b59-dd58a5d84429\nstatus: experimental\ndescription: Detects, possibly, malicious unauthorized usage of bcdedit.exe\nreferences:\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\nauthor: \'@neu5ron\'\ndate: 2019/02/07\ntags:\n- attack.defense_evasion\n- attack.t1070\n- attack.persistence\n- attack.t1067\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    NewProcessName: \'*\\bcdedit.exe\'\n    ProcessCommandLine:\n    - \'*delete*\'\n    - \'*deletevalue*\'\n    - \'*import*\'\n  condition: selection\nlevel: medium\n\n
\n}}'),(9414,'Issue',521,15,'T1070'),(9415,'Issue',521,15,'T1067'),(9416,'Issue',522,1,'Application Whitelisting Bypass via Bginfo'),(9417,'Issue',522,2,'Beyu Denis, oscd.community'),(9418,'Issue',522,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\nhttps://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/'),(9419,'Issue',522,10,'medium'),(9420,'Issue',522,13,'community'),(9421,'Issue',522,14,'windows'),(9423,'Issue',522,11,'6fd11c107'),(9424,'Issue',522,12,'aaf46cdc-934e-4284-b329-34aa701e3771'),(9425,'Issue',522,16,'win-proc'),(9426,'Issue',522,17,''),(9427,'Issue',522,7,''),(9428,'Issue',522,3,'Execute VBscript code that is referenced within the *.bgi file.'),(9429,'Issue',522,4,''),(9430,'Issue',522,5,'_False Positives_\nUnknown'),(9431,'Issue',522,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\bginfo.exe AND process.command_line.keyword:*\\/popup* AND process.command_line.keyword:*\\/nolicprompt*)\nindex: so-*\nname: Application Whitelisting Bypass via Bginfo\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9432,'Issue',522,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Bginfo\nid: aaf46cdc-934e-4284-b329-34aa701e3771\nstatus: experimental\ndescription: Execute VBscript code that is referenced within the *.bgi file.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\n- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\bginfo.exe\n    CommandLine|contains|all:\n    - /popup\n    - /nolicprompt\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(9433,'Issue',522,15,'T1218'),(9434,'Issue',523,1,'Suspicious Calculator Usage'),(9435,'Issue',523,2,'Florian Roth'),(9436,'Issue',523,8,'https://twitter.com/ItsReallyNick/status/1094080242686312448'),(9437,'Issue',523,10,'high'),(9438,'Issue',523,13,'community'),(9439,'Issue',523,14,'windows'),(9441,'Issue',523,11,'7ea9554ba'),(9442,'Issue',523,12,'737e618a-a410-49b5-bec3-9e55ff7fbc15'),(9443,'Issue',523,16,'win-proc'),(9444,'Issue',523,17,''),(9445,'Issue',523,7,''),(9446,'Issue',523,3,'Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion'),(9447,'Issue',523,4,''),(9448,'Issue',523,5,'_False Positives_\nUnknown'),(9449,'Issue',523,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\calc.exe\\ * OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\calc.exe AND (NOT (process.executable.keyword:*\\\\Windows\\\\Sys*)))))\nindex: so-*\nname: Suspicious Calculator Usage\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9450,'Issue',523,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Calculator Usage\nid: 737e618a-a410-49b5-bec3-9e55ff7fbc15\ndescription: Detects suspicious use of calc.exe with command line parameters or in\n  a suspicious directory, which is likely caused by some PoC or detection evasion\nstatus: experimental\nreferences:\n- https://twitter.com/ItsReallyNick/status/1094080242686312448\nauthor: Florian Roth\ndate: 2019/02/09\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine: \'*\\calc.exe *\'\n  selection2:\n    Image: \'*\\calc.exe\'\n  filter2:\n    Image: \'*\\Windows\\Sys*\'\n  condition: selection1 or ( selection2 and not filter2 )\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9451,'Issue',523,15,'T1036'),(9452,'Issue',524,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner'),(9453,'Issue',524,2,'Beyu Denis, oscd.community'),(9454,'Issue',524,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\nhttp://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html'),(9455,'Issue',524,10,'medium'),(9456,'Issue',524,13,'community'),(9457,'Issue',524,14,'windows'),(9459,'Issue',524,11,'ef8ab8f1c'),(9460,'Issue',524,12,'b5c7395f-e501-4a08-94d4-57fe7a9da9d2'),(9461,'Issue',524,16,'win-proc'),(9462,'Issue',524,17,''),(9463,'Issue',524,7,''),(9464,'Issue',524,3,'Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.'),(9465,'Issue',524,4,''),(9466,'Issue',524,5,'_False Positives_\nLegitimate use of debugging tools'),(9467,'Issue',524,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cdb.exe AND process.command_line.keyword:*\\-cf*)\nindex: so-*\nname: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9468,'Issue',524,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\nid: b5c7395f-e501-4a08-94d4-57fe7a9da9d2\nstatus: experimental\ndescription: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\n- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\cdb.exe\n    CommandLine|contains: -cf\n  condition: selection\nfalsepositives:\n- Legitimate use of debugging tools\n\n
\n}}'),(9469,'Issue',524,15,'T1218'),(9470,'Issue',525,1,'Suspicious Certutil Command'),(9471,'Issue',525,2,'Florian Roth, juju4, keepwatch'),(9472,'Issue',525,8,'https://twitter.com/JohnLaTwC/status/835149808817991680\nhttps://twitter.com/subTee/status/888102593838362624\nhttps://twitter.com/subTee/status/888071631528235010\nhttps://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://twitter.com/egre55/status/1087685529016193025\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/'),(9473,'Issue',525,10,'high'),(9474,'Issue',525,13,'community'),(9475,'Issue',525,14,'windows'),(9477,'Issue',525,11,'67ceb029c'),(9478,'Issue',525,12,'e011a729-98a6-4139-b5c4-bf6f6dd8239a'),(9479,'Issue',525,16,'win-proc'),(9480,'Issue',525,17,''),(9481,'Issue',525,7,''),(9482,'Issue',525,3,'Detects a suspicious Microsoft certutil execution with sub commands like \'decode\' sub command, which is sometimes used to decode malicious code with the built-in certutil utility'),(9483,'Issue',525,4,''),(9484,'Issue',525,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9485,'Issue',525,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*))\nindex: so-*\nname: Suspicious Certutil Command\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9486,'Issue',525,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Certutil Command\nid: e011a729-98a6-4139-b5c4-bf6f6dd8239a\nstatus: experimental\ndescription: Detects a suspicious Microsoft certutil execution with sub commands like\n  \'decode\' sub command, which is sometimes used to decode malicious code with the\n  built-in certutil utility\nauthor: Florian Roth, juju4, keepwatch\nmodified: 2019/01/22\ndate: 2019/01/16\nreferences:\n- https://twitter.com/JohnLaTwC/status/835149808817991680\n- https://twitter.com/subTee/status/888102593838362624\n- https://twitter.com/subTee/status/888071631528235010\n- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://twitter.com/egre55/status/1087685529016193025\n- https://lolbas-project.github.io/lolbas/Binaries/Certutil/\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -decode *\'\n    - \'* /decode *\'\n    - \'* -decodehex *\'\n    - \'* /decodehex *\'\n    - \'* -urlcache *\'\n    - \'* /urlcache *\'\n    - \'* -verifyctl *\'\n    - \'* /verifyctl *\'\n    - \'* -encode *\'\n    - \'* /encode *\'\n    - \'*certutil* -URL*\'\n    - \'*certutil* /URL*\'\n    - \'*certutil* -ping*\'\n    - \'*certutil* /ping*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1105\n- attack.s0189\n- attack.g0007\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: high\n\n
\n}}'),(9487,'Issue',525,15,'T1140'),(9488,'Issue',525,15,'T1105'),(9489,'Issue',526,1,'Certutil Encode'),(9490,'Issue',526,2,'Florian Roth'),(9491,'Issue',526,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(9492,'Issue',526,10,'medium'),(9493,'Issue',526,13,'community'),(9494,'Issue',526,14,'windows'),(9495,'Issue',526,15,''),(9496,'Issue',526,11,'8b115c8b1'),(9497,'Issue',526,12,'e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a'),(9498,'Issue',526,16,'win-proc'),(9499,'Issue',526,17,''),(9500,'Issue',526,7,''),(9501,'Issue',526,3,'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration'),(9502,'Issue',526,4,''),(9503,'Issue',526,5,'_False Positives_\nunknown'),(9504,'Issue',526,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(certutil\\ \\-f\\ \\-encode\\ * OR certutil.exe\\ \\-f\\ \\-encode\\ * OR certutil\\ \\-encode\\ \\-f\\ * OR certutil.exe\\ \\-encode\\ \\-f\\ *))\nindex: so-*\nname: Certutil Encode\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9505,'Issue',526,9,'{{collapse(View Sigma)\n
\n\ntitle: Certutil Encode\nid: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\nstatus: experimental\ndescription: Detects suspicious a certutil command that used to encode files, which\n  is sometimes used for data exfiltration\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\nauthor: Florian Roth\ndate: 2019/02/24\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - certutil -f -encode *\n    - certutil.exe -f -encode *\n    - certutil -encode -f *\n    - certutil.exe -encode -f *\n  condition: selection\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9506,'Issue',527,1,'Suspicious Commandline Escape'),(9507,'Issue',527,2,'juju4'),(9508,'Issue',527,8,'https://twitter.com/vysecurity/status/885545634958385153\nhttps://twitter.com/Hexacorn/status/885553465417756673\nhttps://twitter.com/Hexacorn/status/885570278637678592\nhttps://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\nhttp://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/'),(9509,'Issue',527,10,'low'),(9510,'Issue',527,13,'community'),(9511,'Issue',527,14,'windows'),(9513,'Issue',527,11,'2267c2557'),(9514,'Issue',527,12,'f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd'),(9515,'Issue',527,16,'win-proc'),(9516,'Issue',527,17,''),(9517,'Issue',527,7,''),(9518,'Issue',527,3,'Detects suspicious process that use escape characters'),(9519,'Issue',527,4,''),(9520,'Issue',527,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9521,'Issue',527,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*h\\^t\\^t\\^p* OR *h\\\"t\\\"t\\\"p*))\nindex: so-*\nname: Suspicious Commandline Escape\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9522,'Issue',527,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Commandline Escape\nid: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd\ndescription: Detects suspicious process that use escape characters\nstatus: experimental\nreferences:\n- https://twitter.com/vysecurity/status/885545634958385153\n- https://twitter.com/Hexacorn/status/885553465417756673\n- https://twitter.com/Hexacorn/status/885570278637678592\n- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\n- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/\nauthor: juju4\ndate: 2018/12/11\nmodified: 2020/03/14\ntags:\n- attack.defense_evasion\n- attack.t1140\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*h^t^t^p*\'\n    - \'*h\"t\"t\"p*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: low\n\n
\n}}'),(9523,'Issue',527,15,'T1140'),(9524,'Issue',528,1,'Command Line Execution with Suspicious URL and AppData Strings'),(9525,'Issue',528,2,'Florian Roth'),(9526,'Issue',528,8,'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\nhttps://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100'),(9527,'Issue',528,10,'medium'),(9528,'Issue',528,13,'community'),(9529,'Issue',528,14,'windows'),(9531,'Issue',528,11,'6f1a08e1b'),(9532,'Issue',528,12,'1ac8666b-046f-4201-8aba-1951aaec03a3'),(9533,'Issue',528,16,'win-proc'),(9534,'Issue',528,17,''),(9535,'Issue',528,7,''),(9536,'Issue',528,3,'Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)'),(9537,'Issue',528,4,''),(9538,'Issue',528,5,'_False Positives_\nHigh\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9539,'Issue',528,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%))\nindex: so-*\nname: Command Line Execution with Suspicious URL and AppData Strings\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9540,'Issue',528,9,'{{collapse(View Sigma)\n
\n\ntitle: Command Line Execution with Suspicious URL and AppData Strings\nid: 1ac8666b-046f-4201-8aba-1951aaec03a3\nstatus: experimental\ndescription: Detects a suspicious command line execution that includes an URL and\n  AppData string in the command line parameters as used by several droppers (js/vbs\n  > powershell)\nreferences:\n- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\n- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1059\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - cmd.exe /c *http://*%AppData%\n    - cmd.exe /c *https://*%AppData%\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- High\nlevel: medium\n\n
\n}}'),(9541,'Issue',528,15,'T1059'),(9542,'Issue',529,1,'Suspicious Code Page Switch'),(9543,'Issue',529,2,'Florian Roth'),(9544,'Issue',529,8,'https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\nhttps://twitter.com/cglyer/status/1183756892952248325'),(9545,'Issue',529,10,'medium'),(9546,'Issue',529,13,'community'),(9547,'Issue',529,14,'windows'),(9548,'Issue',529,15,''),(9549,'Issue',529,11,'29f880f96'),(9550,'Issue',529,12,'c7942406-33dd-4377-a564-0f62db0593a3'),(9551,'Issue',529,16,'win-proc'),(9552,'Issue',529,17,''),(9553,'Issue',529,7,''),(9554,'Issue',529,3,'Detects a code page switch in command line or batch scripts to a rare language'),(9555,'Issue',529,4,''),(9556,'Issue',529,5,'_False Positives_\nAdministrative activity (adjust code pages according to your organisation\'s region)\n\n_Interesting Log Fields_\nParentCommandLine'),(9557,'Issue',529,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(chcp*\\ 936 OR chcp*\\ 1258))\nindex: so-*\nname: Suspicious Code Page Switch\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9558,'Issue',529,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Code Page Switch\nid: c7942406-33dd-4377-a564-0f62db0593a3\nstatus: experimental\ndescription: Detects a code page switch in command line or batch scripts to a rare\n  language\nauthor: Florian Roth\ndate: 2019/10/14\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\n- https://twitter.com/cglyer/status/1183756892952248325\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - chcp* 936\n    - chcp* 1258\n  condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Administrative activity (adjust code pages according to your organisation\'s region)\nlevel: medium\n\n
\n}}'),(9559,'Issue',530,1,'Reconnaissance Activity with Net Command'),(9560,'Issue',530,2,'Florian Roth, Markus Neis'),(9561,'Issue',530,8,'https://twitter.com/haroonmeer/status/939099379834658817\nhttps://twitter.com/c_APT_ure/status/939475433711722497\nhttps://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html'),(9562,'Issue',530,10,'medium'),(9563,'Issue',530,13,'community'),(9564,'Issue',530,14,'windows'),(9566,'Issue',530,11,'c51af1088'),(9567,'Issue',530,12,'2887e914-ce96-435f-8105-593937e90757'),(9568,'Issue',530,16,'win-proc'),(9569,'Issue',530,17,''),(9570,'Issue',530,7,''),(9571,'Issue',530,3,'Detects a set of commands often used in recon stages by different attack groups'),(9572,'Issue',530,4,''),(9573,'Issue',530,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9574,'Issue',530,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(tasklist OR net\\ time OR systeminfo OR whoami OR nbtstat OR net\\ start OR *\\\\net1\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\net1\\ user\\ \\/domain OR *\\\\net1\\ group\\ \\/domain OR *\\\\net1\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain OR *\\\\net1\\ group\\ \\\"Exchange\\ Trusted\\ Subsystem\\\"\\ \\/domain OR *\\\\net1\\ accounts\\ \\/domain OR *\\\\net1\\ user\\ net\\ localgroup\\ administrators OR netstat\\ \\-an))\nindex: so-*\nmax_threshold: 4\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Reconnaissance Activity with Net Command\npriority: 3\nquery_key: process.command_line.keyword\nrealert:\n  minutes: 0\ntype: metric_aggregation\n
\n}}'),(9575,'Issue',530,9,'{{collapse(View Sigma)\n
\n\ntitle: Reconnaissance Activity with Net Command\nid: 2887e914-ce96-435f-8105-593937e90757\nstatus: experimental\ndescription: Detects a set of commands often used in recon stages by different attack\n  groups\nreferences:\n- https://twitter.com/haroonmeer/status/939099379834658817\n- https://twitter.com/c_APT_ure/status/939475433711722497\n- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\nauthor: Florian Roth, Markus Neis\ndate: 2018/08/22\nmodified: 2018/12/11\ntags:\n- attack.discovery\n- attack.t1087\n- attack.t1082\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - tasklist\n    - net time\n    - systeminfo\n    - whoami\n    - nbtstat\n    - net start\n    - \'*\\net1 start\'\n    - qprocess\n    - nslookup\n    - hostname.exe\n    - \'*\\net1 user /domain\'\n    - \'*\\net1 group /domain\'\n    - \'*\\net1 group \"domain admins\" /domain\'\n    - \'*\\net1 group \"Exchange Trusted Subsystem\" /domain\'\n    - \'*\\net1 accounts /domain\'\n    - \'*\\net1 user net localgroup administrators\'\n    - netstat -an\n  timeframe: 15s\n  condition: selection | count() by CommandLine > 4\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(9576,'Issue',530,15,'T1087'),(9577,'Issue',530,15,'T1082'),(9578,'Issue',531,1,'Suspicious Compression Tool Parameters'),(9579,'Issue',531,2,'Florian Roth, Samir Bousseaden'),(9580,'Issue',531,8,'https://twitter.com/SBousseaden/status/1184067445612535811'),(9581,'Issue',531,10,'high'),(9582,'Issue',531,13,'community'),(9583,'Issue',531,14,'windows'),(9585,'Issue',531,11,'ca20cc397'),(9586,'Issue',531,12,'27a72a60-7e5e-47b1-9d17-909c9abafdcd'),(9587,'Issue',531,16,'win-proc'),(9588,'Issue',531,17,''),(9589,'Issue',531,7,''),(9590,'Issue',531,3,'Detects suspicious command line arguments of common data compression tools'),(9591,'Issue',531,4,''),(9592,'Issue',531,5,'_False Positives_\nunknown'),(9593,'Issue',531,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND process.command_line.keyword:(*\\ \\-p* OR *\\ \\-ta* OR *\\ \\-tb* OR *\\ \\-sdel* OR *\\ \\-dw* OR *\\ \\-hp*)) AND (NOT (process.parent.executable.keyword:C\\:\\\\Program*)))\nindex: so-*\nname: Suspicious Compression Tool Parameters\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9594,'Issue',531,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Compression Tool Parameters\nid: 27a72a60-7e5e-47b1-9d17-909c9abafdcd\nstatus: experimental\ndescription: Detects suspicious command line arguments of common data compression\n  tools\nreferences:\n- https://twitter.com/SBousseaden/status/1184067445612535811\ntags:\n- attack.exfiltration\n- attack.t1020\n- attack.t1002\nauthor: Florian Roth, Samir Bousseaden\ndate: 2019/10/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - 7z*.exe\n    - \'*rar.exe\'\n    - \'*Command*Line*RAR*\'\n    CommandLine:\n    - \'* -p*\'\n    - \'* -ta*\'\n    - \'* -tb*\'\n    - \'* -sdel*\'\n    - \'* -dw*\'\n    - \'* -hp*\'\n  falsepositive:\n    ParentImage: C:\\Program*\n  condition: selection and not falsepositive\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(9595,'Issue',531,15,'T1020'),(9596,'Issue',531,15,'T1002'),(9597,'Issue',532,1,'Process Dump via Comsvcs DLL'),(9598,'Issue',532,2,'Modexp (idea)'),(9599,'Issue',532,8,'https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\nhttps://twitter.com/SBousseaden/status/1167417096374050817'),(9600,'Issue',532,10,'medium'),(9601,'Issue',532,13,'community'),(9602,'Issue',532,14,'windows'),(9604,'Issue',532,11,'01665fd2b'),(9605,'Issue',532,12,'09e6d5c0-05b8-4ff8-9eeb-043046ec774c'),(9606,'Issue',532,16,'win-proc'),(9607,'Issue',532,17,''),(9608,'Issue',532,7,''),(9609,'Issue',532,3,'Detects process memory dump via comsvcs.dll and rundll32'),(9610,'Issue',532,4,''),(9611,'Issue',532,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9612,'Issue',532,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\rundll32.exe OR OriginalFileName:\"RUNDLL32.EXE\") AND process.command_line.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))\nindex: so-*\nname: Process Dump via Comsvcs DLL\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9613,'Issue',532,9,'{{collapse(View Sigma)\n
\n\ntitle: Process Dump via Comsvcs DLL\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\nstatus: experimental\ndescription: Detects process memory dump via comsvcs.dll and rundll32\nreferences:\n- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\n- https://twitter.com/SBousseaden/status/1167417096374050817\nauthor: Modexp (idea)\ndate: 2019/09/02\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  rundll_image:\n    Image: \'*\\rundll32.exe\'\n  rundll_ofn:\n    OriginalFileName: RUNDLL32.EXE\n  selection:\n    CommandLine:\n    - \'*comsvcs*MiniDump*full*\'\n    - \'*comsvcs*MiniDumpW*full*\'\n  condition: (rundll_image or rundll_ofn) and selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.credential_access\n- attack.t1003\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9614,'Issue',532,15,'T1003'),(9615,'Issue',533,1,'Suspicious Control Panel DLL Load'),(9616,'Issue',533,2,'Florian Roth'),(9617,'Issue',533,8,'https://twitter.com/rikvduijn/status/853251879320662017'),(9618,'Issue',533,10,'high'),(9619,'Issue',533,13,'community'),(9620,'Issue',533,14,'windows'),(9622,'Issue',533,11,'7b06179ac'),(9623,'Issue',533,12,'d7eb979b-c2b5-4a6f-a3a7-c87ce6763819'),(9624,'Issue',533,16,'win-proc'),(9625,'Issue',533,17,''),(9626,'Issue',533,7,''),(9627,'Issue',533,3,'Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits'),(9628,'Issue',533,4,''),(9629,'Issue',533,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9630,'Issue',533,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\System32\\\\control.exe AND process.command_line.keyword:*\\\\rundll32.exe\\ *) AND (NOT (process.command_line.keyword:*Shell32.dll*)))\nindex: so-*\nname: Suspicious Control Panel DLL Load\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9631,'Issue',533,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Control Panel DLL Load\nid: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819\nstatus: experimental\ndescription: Detects suspicious Rundll32 execution from control.exe as used by Equation\n  Group and Exploit Kits\nauthor: Florian Roth\ndate: 2017/04/15\nreferences:\n- https://twitter.com/rikvduijn/status/853251879320662017\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1085\n- car.2013-10-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\System32\\control.exe\'\n    CommandLine: \'*\\rundll32.exe *\'\n  filter:\n    CommandLine: \'*Shell32.dll*\'\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9632,'Issue',533,15,'T1073'),(9633,'Issue',533,15,'T1085'),(9634,'Issue',534,1,'Copy from Admin Share'),(9635,'Issue',534,2,'Florian Roth'),(9636,'Issue',534,8,'https://twitter.com/SBousseaden/status/1211636381086339073'),(9637,'Issue',534,10,'high'),(9638,'Issue',534,13,'community'),(9639,'Issue',534,14,'windows'),(9641,'Issue',534,11,'ec9ee9ed7'),(9642,'Issue',534,12,'855bc8b5-2ae8-402e-a9ed-b889e6df1900'),(9643,'Issue',534,16,'win-proc'),(9644,'Issue',534,17,''),(9645,'Issue',534,7,''),(9646,'Issue',534,3,'Detects a suspicious copy command from a remote C$ or ADMIN$ share'),(9647,'Issue',534,4,''),(9648,'Issue',534,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9649,'Issue',534,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*copy\\ *\\\\c$* OR *copy\\ *\\\\ADMIN$*))\nindex: so-*\nname: Copy from Admin Share\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9650,'Issue',534,9,'{{collapse(View Sigma)\n
\n\ntitle: Copy from Admin Share\nid: 855bc8b5-2ae8-402e-a9ed-b889e6df1900\nstatus: experimental\ndescription: Detects a suspicious copy command from a remote C$ or ADMIN$ share\nreferences:\n- https://twitter.com/SBousseaden/status/1211636381086339073\nauthor: Florian Roth\ndate: 2019/12/30\ntags:\n- attack.lateral_movement\n- attack.t1077\n- attack.t1105\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - copy *\\c$\n    - copy *\\ADMIN$\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(9651,'Issue',534,15,'T1077'),(9652,'Issue',534,15,'T1105'),(9653,'Issue',535,1,'Suspicious Parent of Csc.exe'),(9654,'Issue',535,2,'Florian Roth'),(9655,'Issue',535,8,'https://twitter.com/SBousseaden/status/1094924091256176641'),(9656,'Issue',535,10,'high'),(9657,'Issue',535,13,'community'),(9658,'Issue',535,14,'windows'),(9660,'Issue',535,11,'2a0ef0717'),(9661,'Issue',535,12,'b730a276-6b63-41b8-bcf8-55930c8fc6ee'),(9662,'Issue',535,16,'win-proc'),(9663,'Issue',535,17,''),(9664,'Issue',535,7,''),(9665,'Issue',535,3,'Detects a suspicious parent of csc.exe, which could by a sign of payload delivery'),(9666,'Issue',535,4,''),(9667,'Issue',535,5,'_False Positives_\nUnkown'),(9668,'Issue',535,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csc.exe* AND process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe))\nindex: so-*\nname: Suspicious Parent of Csc.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9669,'Issue',535,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Parent of Csc.exe\nid: b730a276-6b63-41b8-bcf8-55930c8fc6ee\ndescription: Detects a suspicious parent of csc.exe, which could by a sign of payload\n  delivery\nstatus: experimental\nreferences:\n- https://twitter.com/SBousseaden/status/1094924091256176641\nauthor: Florian Roth\ndate: 2019/02/11\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\csc.exe*\'\n    ParentImage:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    - \'*\\mshta.exe\'\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(9670,'Issue',535,15,'T1036'),(9671,'Issue',536,1,'Suspicious Csc.exe Source File Folder'),(9672,'Issue',536,2,'Florian Roth'),(9673,'Issue',536,8,'https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\nhttps://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\nhttps://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\nhttps://twitter.com/gN3mes1s/status/1206874118282448897'),(9674,'Issue',536,10,'high'),(9675,'Issue',536,13,'community'),(9676,'Issue',536,14,'windows'),(9678,'Issue',536,11,'7da368a8e'),(9679,'Issue',536,12,'dcaa3f04-70c3-427a-80b4-b870d73c94c4'),(9680,'Issue',536,16,'win-proc'),(9681,'Issue',536,17,''),(9682,'Issue',536,7,''),(9683,'Issue',536,3,'Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)'),(9684,'Issue',536,4,''),(9685,'Issue',536,5,'_False Positives_\nhttps://twitter.com/gN3mes1s/status/1206874118282448897\nhttps://twitter.com/gabriele_pippi/status/1206907900268072962'),(9686,'Issue',536,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\csc.exe AND process.command_line.keyword:(*\\\\AppData\\\\* OR *\\\\Windows\\\\Temp\\\\*)) AND (NOT (process.parent.executable.keyword:(C\\:\\\\Program\\ Files* OR *\\\\sdiagnhost.exe OR *\\\\w3wp.exe))))\nindex: so-*\nname: Suspicious Csc.exe Source File Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9687,'Issue',536,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Csc.exe Source File Folder\nid: dcaa3f04-70c3-427a-80b4-b870d73c94c4\ndescription: Detects a suspicious execution of csc.exe, which uses a source in a suspicious\n  folder (e.g. AppData)\nstatus: experimental\nreferences:\n- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\n- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\n- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\n- https://twitter.com/gN3mes1s/status/1206874118282448897\nauthor: Florian Roth\ndate: 2019/08/24\nmodified: 2019/12/17\ntags:\n- attack.defense_evasion\n- attack.t1500\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\csc.exe\'\n    CommandLine:\n    - \'*\\AppData\\\\*\'\n    - \'*\\Windows\\Temp\\\\*\'\n  filter:\n    ParentImage:\n    - C:\\Program Files*\n    - \'*\\sdiagnhost.exe\'\n    - \'*\\w3wp.exe\'\n  condition: selection and not filter\nfalsepositives:\n- https://twitter.com/gN3mes1s/status/1206874118282448897\n- https://twitter.com/gabriele_pippi/status/1206907900268072962\nlevel: high\n\n
\n}}'),(9688,'Issue',536,15,'T1500'),(9689,'Issue',537,1,'Curl Start Combination'),(9690,'Issue',537,2,'Sreeman'),(9691,'Issue',537,8,'https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983'),(9692,'Issue',537,10,'medium'),(9693,'Issue',537,13,'community'),(9694,'Issue',537,14,'windows'),(9696,'Issue',537,11,'cba091473'),(9697,'Issue',537,12,'21dd6d38-2b18-4453-9404-a0fe4a0cc288'),(9698,'Issue',537,16,'win-proc'),(9699,'Issue',537,17,''),(9700,'Issue',537,7,''),(9701,'Issue',537,3,'Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.'),(9702,'Issue',537,4,''),(9703,'Issue',537,5,'_False Positives_\nAdministrative scripts (installers)\n\n_Interesting Log Fields_\nParentImage\nCommandLine'),(9704,'Issue',537,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*curl*\\ start\\ *)\nindex: so-*\nname: Curl Start Combination\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9705,'Issue',537,9,'{{collapse(View Sigma)\n
\n\ntitle: Curl Start Combination\nid: 21dd6d38-2b18-4453-9404-a0fe4a0cc288\nstatus: experimental\ndescription: Adversaries can use curl to download payloads remotely and execute them.\n  Curl is included by default in Windows 10 build 17063 and later.\nreferences:\n- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983\nauthor: Sreeman\ndate: 2020/01/13\ntags:\n- attack.execution\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  condition: selection\n  selection:\n    CommandLine|contains: \'curl* start \'\nfalsepositives:\n- Administrative scripts (installers)\nfields:\n- ParentImage\n- CommandLine\nlevel: medium\n\n
\n}}'),(9706,'Issue',537,15,'T1218'),(9707,'Issue',538,1,'ZOHO Dctask64 Process Injection'),(9708,'Issue',538,2,'Florian Roth'),(9709,'Issue',538,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(9710,'Issue',538,10,'high'),(9711,'Issue',538,13,'community'),(9712,'Issue',538,14,'windows'),(9714,'Issue',538,11,'fe9f76fc8'),(9715,'Issue',538,12,'6345b048-8441-43a7-9bed-541133633d7a'),(9716,'Issue',538,16,'win-proc'),(9717,'Issue',538,17,''),(9718,'Issue',538,7,''),(9719,'Issue',538,3,'Detects suspicious process injection using ZOHO\'s dctask64.exe'),(9720,'Issue',538,4,''),(9721,'Issue',538,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(9722,'Issue',538,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\dctask64.exe) AND (NOT (process.command_line.keyword:(*DesktopCentral_Agent\\\\agent*))))\nindex: so-*\nname: ZOHO Dctask64 Process Injection\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9723,'Issue',538,9,'{{collapse(View Sigma)\n
\n\ntitle: ZOHO Dctask64 Process Injection\nid: 6345b048-8441-43a7-9bed-541133633d7a\nstatus: experimental\ndescription: Detects suspicious process injection using ZOHO\'s dctask64.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\dctask64.exe\n  filter:\n    CommandLine|contains:\n    - DesktopCentral_Agent\\agent\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(9724,'Issue',538,15,'T1055'),(9725,'Issue',539,1,'Devtoolslauncher.exe Executes Specified Binary'),(9726,'Issue',539,2,'Beyu Denis, oscd.community (rule), @_felamos (idea)'),(9727,'Issue',539,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\nhttps://twitter.com/_felamos/status/1179811992841797632'),(9728,'Issue',539,10,'critical'),(9729,'Issue',539,13,'community'),(9730,'Issue',539,14,'windows'),(9732,'Issue',539,11,'8beb4a23d'),(9733,'Issue',539,12,'cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6'),(9734,'Issue',539,16,'win-proc'),(9735,'Issue',539,17,''),(9736,'Issue',539,7,''),(9737,'Issue',539,3,'The Devtoolslauncher.exe executes other binary'),(9738,'Issue',539,4,''),(9739,'Issue',539,5,'_False Positives_\nLegitimate use of devtoolslauncher.exe by legitimate user'),(9740,'Issue',539,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\devtoolslauncher.exe AND process.command_line.keyword:*LaunchForDeploy*)\nindex: so-*\nname: Devtoolslauncher.exe Executes Specified Binary\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9741,'Issue',539,9,'{{collapse(View Sigma)\n
\n\ntitle: Devtoolslauncher.exe Executes Specified Binary\nid: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6\nstatus: experimental\ndescription: The Devtoolslauncher.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\n- https://twitter.com/_felamos/status/1179811992841797632\nauthor: Beyu Denis, oscd.community (rule), @_felamos (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: critical\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\devtoolslauncher.exe\n    CommandLine|contains: LaunchForDeploy\n  condition: selection\nfalsepositives:\n- Legitimate use of devtoolslauncher.exe by legitimate user\n\n
\n}}'),(9742,'Issue',539,15,'T1218'),(9743,'Issue',540,1,'Direct Autorun Keys Modification'),(9744,'Issue',540,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(9745,'Issue',540,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(9746,'Issue',540,10,'medium'),(9747,'Issue',540,13,'community'),(9748,'Issue',540,14,'windows'),(9750,'Issue',540,11,'8eab5e98e'),(9751,'Issue',540,12,'24357373-078f-44ed-9ac4-6d334a668a11'),(9752,'Issue',540,16,'win-proc'),(9753,'Issue',540,17,''),(9754,'Issue',540,7,''),(9755,'Issue',540,3,'Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.'),(9756,'Issue',540,4,''),(9757,'Issue',540,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9758,'Issue',540,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders* OR *\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell*))\nindex: so-*\nname: Direct Autorun Keys Modification\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9759,'Issue',540,9,'{{collapse(View Sigma)\n
\n\ntitle: Direct Autorun Keys Modification\nid: 24357373-078f-44ed-9ac4-6d334a668a11\ndescription: Detects direct modification of autostart extensibility point (ASEP) in\n  registry using reg.exe.\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/25\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \'*\\reg.exe\'\n    CommandLine|contains: add\n  selection_2:\n    CommandLine|contains:\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n    - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n    - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n    - \\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell\n  condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n  keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(9760,'Issue',540,15,'T1060'),(9761,'Issue',541,1,'Application Whitelisting Bypass via Dnx.exe'),(9762,'Issue',541,2,'Beyu Denis, oscd.community'),(9763,'Issue',541,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/'),(9764,'Issue',541,10,'medium'),(9765,'Issue',541,13,'community'),(9766,'Issue',541,14,'windows'),(9768,'Issue',541,11,'4f84e2c15'),(9769,'Issue',541,12,'81ebd28b-9607-4478-bf06-974ed9d53ed7'),(9770,'Issue',541,16,'win-proc'),(9771,'Issue',541,17,''),(9772,'Issue',541,7,''),(9773,'Issue',541,3,'Execute C# code located in the consoleapp folder'),(9774,'Issue',541,4,''),(9775,'Issue',541,5,'_False Positives_\nLegitimate use of dnx.exe by legitimate user'),(9776,'Issue',541,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dnx.exe)\nindex: so-*\nname: Application Whitelisting Bypass via Dnx.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9777,'Issue',541,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Dnx.exe\nid: 81ebd28b-9607-4478-bf06-974ed9d53ed7\nstatus: experimental\ndescription: Execute C# code located in the consoleapp folder\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\n- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\dnx.exe\n  condition: selection\nfalsepositives:\n- Legitimate use of dnx.exe by legitimate user\n\n
\n}}'),(9778,'Issue',541,15,'T1218'),(9779,'Issue',542,1,'Suspicious Double Extension'),(9780,'Issue',542,2,'Florian Roth (rule), @blu3_team (idea)'),(9781,'Issue',542,8,'https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\nhttps://twitter.com/blackorbird/status/1140519090961825792'),(9782,'Issue',542,10,'critical'),(9783,'Issue',542,13,'community'),(9784,'Issue',542,14,'windows'),(9786,'Issue',542,11,'17b387ea8'),(9787,'Issue',542,12,'1cdd9a09-06c9-4769-99ff-626e2b3991b8'),(9788,'Issue',542,16,'win-proc'),(9789,'Issue',542,17,''),(9790,'Issue',542,7,''),(9791,'Issue',542,3,'Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns'),(9792,'Issue',542,4,''),(9793,'Issue',542,5,'_False Positives_\nUnknown'),(9794,'Issue',542,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe))\nindex: so-*\nname: Suspicious Double Extension\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9795,'Issue',542,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Double Extension\nid: 1cdd9a09-06c9-4769-99ff-626e2b3991b8\ndescription: Detects suspicious use of an .exe extension after a non-executable file\n  extension like .pdf.exe, a set of spaces or underlines to cloak the executable file\n  in spear phishing campaigns\nreferences:\n- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\n- https://twitter.com/blackorbird/status/1140519090961825792\nauthor: Florian Roth (rule), @blu3_team (idea)\ndate: 2019/06/26\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*.doc.exe\'\n    - \'*.docx.exe\'\n    - \'*.xls.exe\'\n    - \'*.xlsx.exe\'\n    - \'*.ppt.exe\'\n    - \'*.pptx.exe\'\n    - \'*.rtf.exe\'\n    - \'*.pdf.exe\'\n    - \'*.txt.exe\'\n    - \'*      .exe\'\n    - \'*______.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(9796,'Issue',542,15,'T1193'),(9797,'Issue',543,1,'Application Whitelisting Bypass via Dxcap.exe'),(9798,'Issue',543,2,'Beyu Denis, oscd.community'),(9799,'Issue',543,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\nhttps://twitter.com/harr0ey/status/992008180904419328'),(9800,'Issue',543,10,'medium'),(9801,'Issue',543,13,'community'),(9802,'Issue',543,14,'windows'),(9804,'Issue',543,11,'21213eb67'),(9805,'Issue',543,12,'60f16a96-db70-42eb-8f76-16763e333590'),(9806,'Issue',543,16,'win-proc'),(9807,'Issue',543,17,''),(9808,'Issue',543,7,''),(9809,'Issue',543,3,'Detects execution of of Dxcap.exe'),(9810,'Issue',543,4,''),(9811,'Issue',543,5,'_False Positives_\nLegitimate execution of dxcap.exe by legitimate user'),(9812,'Issue',543,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dxcap.exe AND process.command_line.keyword:*\\-c* AND process.command_line.keyword:*.exe*)\nindex: so-*\nname: Application Whitelisting Bypass via Dxcap.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9813,'Issue',543,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via Dxcap.exe\nid: 60f16a96-db70-42eb-8f76-16763e333590\nstatus: experimental\ndescription: Detects execution of of Dxcap.exe\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\n- https://twitter.com/harr0ey/status/992008180904419328\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\dxcap.exe\n    CommandLine|contains|all:\n    - -c\n    - .exe\n  condition: selection\nfalsepositives:\n- Legitimate execution of dxcap.exe by legitimate user\n\n
\n}}'),(9814,'Issue',543,15,'T1218'),(9815,'Issue',544,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil'),(9816,'Issue',544,2,'Ecco, Daniil Yugoslavskiy, oscd.community'),(9817,'Issue',544,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html'),(9818,'Issue',544,10,'high'),(9819,'Issue',544,13,'community'),(9820,'Issue',544,14,'windows'),(9822,'Issue',544,11,'63dddab3d'),(9823,'Issue',544,12,'cc36992a-4671-4f21-a91d-6c2b72a2edf5'),(9824,'Issue',544,16,'win-proc'),(9825,'Issue',544,17,''),(9826,'Issue',544,7,''),(9827,'Issue',544,3,'Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9828,'Issue',544,4,''),(9829,'Issue',544,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9830,'Issue',544,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*Clear\\-EventLog* OR *Remove\\-EventLog* OR *Limit\\-EventLog*)) OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\ ClearEventLog\\ *)) OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\wevtutil.exe AND process.command_line.keyword:(*clear\\-log* OR *\\ cl\\ * OR *set\\-log* OR *\\ sl\\ *))))\nindex: so-*\nname: Suspicious Eventlog Clear or Configuration Using Wevtutil\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9831,'Issue',544,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Eventlog Clear or Configuration Using Wevtutil\nid: cc36992a-4671-4f21-a91d-6c2b72a2edf5\ndescription: Detects clearing or configuration of eventlogs uwing wevtutil, powershell\n  and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)\nauthor: Ecco, Daniil Yugoslavskiy, oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\ndate: 2019/09/26\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_wevtutil_binary:\n    Image|endswith: \\wevtutil.exe\n  selection_wevtutil_command:\n    CommandLine|contains:\n    - clear-log\n    - \' cl \'\n    - set-log\n    - \' sl \'\n  selection_other_ps:\n    Image|endswith: \\powershell.exe\n    CommandLine|contains:\n    - Clear-EventLog\n    - Remove-EventLog\n    - Limit-EventLog\n  selection_other_wmic:\n    Image|endswith: \\wmic.exe\n    CommandLine|contains: \' ClearEventLog \'\n  condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9832,'Issue',544,15,'T1070'),(9833,'Issue',545,1,'Executables Started in Suspicious Folder'),(9834,'Issue',545,2,'Florian Roth'),(9835,'Issue',545,8,'https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\nhttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\nhttps://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nhttps://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md'),(9836,'Issue',545,10,'high'),(9837,'Issue',545,13,'community'),(9838,'Issue',545,14,'windows'),(9840,'Issue',545,11,'a3054aa4c'),(9841,'Issue',545,12,'7a38aa19-86a9-4af7-ac51-6bfe4e59f254'),(9842,'Issue',545,16,'win-proc'),(9843,'Issue',545,17,''),(9844,'Issue',545,7,''),(9845,'Issue',545,3,'Detects process starts of binaries from a suspicious folder'),(9846,'Issue',545,4,''),(9847,'Issue',545,5,'_False Positives_\nUnknown'),(9848,'Issue',545,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(C\\:\\\\PerfLogs\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Intel\\\\Logs\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\NetworkService\\\\* OR C\\:\\\\Windows\\\\Fonts\\\\* OR C\\:\\\\Windows\\\\Debug\\\\* OR C\\:\\\\Windows\\\\Media\\\\* OR C\\:\\\\Windows\\\\Help\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\repair\\\\* OR C\\:\\\\Windows\\\\security\\\\* OR *\\\\RSA\\\\MachineKeys\\\\* OR C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\System32\\\\Tasks\\\\*))\nindex: so-*\nname: Executables Started in Suspicious Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9849,'Issue',545,9,'{{collapse(View Sigma)\n
\n\ntitle: Executables Started in Suspicious Folder\nid: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254\nstatus: experimental\ndescription: Detects process starts of binaries from a suspicious folder\nauthor: Florian Roth\ndate: 2017/10/14\nmodified: 2019/02/21\nreferences:\n- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\n- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - C:\\PerfLogs\\\\*\n    - C:\\$Recycle.bin\\\\*\n    - C:\\Intel\\Logs\\\\*\n    - C:\\Users\\Default\\\\*\n    - C:\\Users\\Public\\\\*\n    - C:\\Users\\NetworkService\\\\*\n    - C:\\Windows\\Fonts\\\\*\n    - C:\\Windows\\Debug\\\\*\n    - C:\\Windows\\Media\\\\*\n    - C:\\Windows\\Help\\\\*\n    - C:\\Windows\\addins\\\\*\n    - C:\\Windows\\repair\\\\*\n    - C:\\Windows\\security\\\\*\n    - \'*\\RSA\\MachineKeys\\\\*\'\n    - C:\\Windows\\system32\\config\\systemprofile\\\\*\n    - C:\\Windows\\Tasks\\\\*\n    - C:\\Windows\\System32\\Tasks\\\\*\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9850,'Issue',545,15,'T1036'),(9851,'Issue',546,1,'Execution in Non-Executable Folder'),(9852,'Issue',546,2,'Florian Roth'),(9853,'Issue',546,8,'none'),(9854,'Issue',546,10,'high'),(9855,'Issue',546,13,'community'),(9856,'Issue',546,14,'windows'),(9858,'Issue',546,11,'a7b3dd43a'),(9859,'Issue',546,12,'3dfd06d2-eaf4-4532-9555-68aca59f57c4'),(9860,'Issue',546,16,'win-proc'),(9861,'Issue',546,17,''),(9862,'Issue',546,7,''),(9863,'Issue',546,3,'Detects a suspicious exection from an uncommon folder'),(9864,'Issue',546,4,''),(9865,'Issue',546,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9866,'Issue',546,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Execution in Non-Executable Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9867,'Issue',546,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Non-Executable Folder\nid: 3dfd06d2-eaf4-4532-9555-68aca59f57c4\nstatus: experimental\ndescription: Detects a suspicious exection from an uncommon folder\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\All Users\\\\*\'\n    - \'*\\Users\\Default\\\\*\'\n    - \'*\\Users\\Public\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\config\\systemprofile\\\\*\'\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9868,'Issue',546,15,'T1036'),(9869,'Issue',547,1,'Execution in Webserver Root Folder'),(9870,'Issue',547,2,'Florian Roth'),(9871,'Issue',547,8,'none'),(9872,'Issue',547,10,'medium'),(9873,'Issue',547,13,'community'),(9874,'Issue',547,14,'windows'),(9876,'Issue',547,11,'3e95069d6'),(9877,'Issue',547,12,'35efb964-e6a5-47ad-bbcd-19661854018d'),(9878,'Issue',547,16,'win-proc'),(9879,'Issue',547,17,''),(9880,'Issue',547,7,''),(9881,'Issue',547,3,'Detects a suspicious program execution in a web service root folder (filter out false positives)'),(9882,'Issue',547,4,''),(9883,'Issue',547,5,'_False Positives_\nVarious applications\nTools that include ping or nslookup command invocations\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9884,'Issue',547,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wwwroot\\\\* OR *\\\\wmpub\\\\* OR *\\\\htdocs\\\\*) AND (NOT (process.executable.keyword:(*bin\\\\* OR *\\\\Tools\\\\* OR *\\\\SMSComponent\\\\*) AND process.parent.executable.keyword:(*\\\\services.exe))))\nindex: so-*\nname: Execution in Webserver Root Folder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9885,'Issue',547,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Webserver Root Folder\nid: 35efb964-e6a5-47ad-bbcd-19661854018d\nstatus: experimental\ndescription: Detects a suspicious program execution in a web service root folder (filter\n  out false positives)\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wwwroot\\\\*\'\n    - \'*\\wmpub\\\\*\'\n    - \'*\\htdocs\\\\*\'\n  filter:\n    Image:\n    - \'*bin\\\\*\'\n    - \'*\\Tools\\\\*\'\n    - \'*\\SMSComponent\\\\*\'\n    ParentImage:\n    - \'*\\services.exe\'\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Various applications\n- Tools that include ping or nslookup command invocations\nlevel: medium\n\n
\n}}'),(9886,'Issue',547,15,'T1100'),(9887,'Issue',548,1,'Firewall Disabled via Netsh'),(9888,'Issue',548,2,'Fatih Sirin'),(9889,'Issue',548,8,'https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\nhttps://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/'),(9890,'Issue',548,10,'medium'),(9891,'Issue',548,13,'community'),(9892,'Issue',548,14,'windows'),(9893,'Issue',548,15,''),(9894,'Issue',548,11,'525bbf871'),(9895,'Issue',548,12,'57c4bf16-227f-4394-8ec7-1b745ee061c3'),(9896,'Issue',548,16,'win-proc'),(9897,'Issue',548,17,''),(9898,'Issue',548,7,''),(9899,'Issue',548,3,'Detects netsh commands that turns off the Windows firewall'),(9900,'Issue',548,4,''),(9901,'Issue',548,5,'_False Positives_\nLegitimate administration'),(9902,'Issue',548,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ firewall\\ set\\ opmode\\ mode\\=disable OR netsh\\ advfirewall\\ set\\ *\\ state\\ off))\nindex: so-*\nname: Firewall Disabled via Netsh\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9903,'Issue',548,9,'{{collapse(View Sigma)\n
\n\ntitle: Firewall Disabled via Netsh\nid: 57c4bf16-227f-4394-8ec7-1b745ee061c3\ndescription: Detects netsh commands that turns off the Windows firewall\nreferences:\n- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/\ndate: 2019/11/01\nstatus: experimental\nauthor: Fatih Sirin\ntags:\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh firewall set opmode mode=disable\n    - netsh advfirewall set * state off\n  condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(9904,'Issue',549,1,'Fsutil Suspicious Invocation'),(9905,'Issue',549,2,'Ecco, E.M. Anhaus, oscd.community'),(9906,'Issue',549,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html'),(9907,'Issue',549,10,'high'),(9908,'Issue',549,13,'community'),(9909,'Issue',549,14,'windows'),(9911,'Issue',549,11,'b3585220b'),(9912,'Issue',549,12,'add64136-62e5-48ea-807e-88638d02df1e'),(9913,'Issue',549,16,'win-proc'),(9914,'Issue',549,17,''),(9915,'Issue',549,7,''),(9916,'Issue',549,3,'Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9917,'Issue',549,4,''),(9918,'Issue',549,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9919,'Issue',549,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\fsutil.exe OR OriginalFileName:\"fsutil.exe\") AND process.command_line.keyword:(*deletejournal* OR *createjournal*))\nindex: so-*\nname: Fsutil Suspicious Invocation\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9920,'Issue',549,9,'{{collapse(View Sigma)\n
\n\ntitle: Fsutil Suspicious Invocation\nid: add64136-62e5-48ea-807e-88638d02df1e\ndescription: Detects suspicious parameters of fsutil (deleting USN journal, configuring\n  it with small size..). Might be used by ransomwares during the attack (seen by NotPetya\n  and others)\nauthor: Ecco, E.M. Anhaus, oscd.community\ndate: 2019/09/26\nmodified: 2019/11/11\nlevel: high\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html\ntags:\n- attack.defense_evasion\n- attack.t1070\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  binary_1:\n    Image|endswith: \\fsutil.exe\n  binary_2:\n    OriginalFileName: fsutil.exe\n  selection:\n    CommandLine|contains:\n    - deletejournal\n    - createjournal\n  condition: (1 of binary_*) and selection\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9921,'Issue',549,15,'T1070'),(9922,'Issue',550,1,'Suspicious GUP Usage'),(9923,'Issue',550,2,'Florian Roth'),(9924,'Issue',550,8,'https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html'),(9925,'Issue',550,10,'high'),(9926,'Issue',550,13,'community'),(9927,'Issue',550,14,'windows'),(9929,'Issue',550,11,'64acf349c'),(9930,'Issue',550,12,'0a4f6091-223b-41f6-8743-f322ec84930b'),(9931,'Issue',550,16,'win-proc'),(9932,'Issue',550,17,''),(9933,'Issue',550,7,''),(9934,'Issue',550,3,'Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks'),(9935,'Issue',550,4,''),(9936,'Issue',550,5,'_False Positives_\nExecution of tools named GUP.exe and located in folders different than Notepad++\\updater'),(9937,'Issue',550,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\GUP.exe AND (NOT (process.executable.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))\nindex: so-*\nname: Suspicious GUP Usage\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9938,'Issue',550,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious GUP Usage\nid: 0a4f6091-223b-41f6-8743-f322ec84930b\ndescription: Detects execution of the Notepad++ updater in a suspicious directory,\n  which is often used in DLL side-loading attacks\nstatus: experimental\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\ntags:\n- attack.defense_evasion\n- attack.t1073\nauthor: Florian Roth\ndate: 2019/02/06\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\GUP.exe\'\n  filter:\n    Image:\n    - C:\\Users\\\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe\n    - C:\\Users\\\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe\n    - C:\\Program Files\\Notepad++\\updater\\gup.exe\n    - C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe\n  condition: selection and not filter\nfalsepositives:\n- Execution of tools named GUP.exe and located in folders different than Notepad++\\updater\nlevel: high\n\n
\n}}'),(9939,'Issue',550,15,'T1073'),(9940,'Issue',551,1,'IIS Native-Code Module Command Line Installation'),(9941,'Issue',551,2,'Florian Roth'),(9942,'Issue',551,8,'https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/'),(9943,'Issue',551,10,'medium'),(9944,'Issue',551,13,'community'),(9945,'Issue',551,14,'windows'),(9947,'Issue',551,11,'181436e25'),(9948,'Issue',551,12,'9465ddf4-f9e4-4ebd-8d98-702df3a93239'),(9949,'Issue',551,16,'win-proc'),(9950,'Issue',551,17,''),(9951,'Issue',551,7,''),(9952,'Issue',551,3,'Detects suspicious IIS native-code module installations via command line'),(9953,'Issue',551,4,''),(9954,'Issue',551,5,'_False Positives_\nUnknown as it may vary from organisation to arganisation how admins use to install IIS modules'),(9955,'Issue',551,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\APPCMD.EXE\\ install\\ module\\ \\/name\\:*))\nindex: so-*\nname: IIS Native-Code Module Command Line Installation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9956,'Issue',551,9,'{{collapse(View Sigma)\n
\n\ntitle: IIS Native-Code Module Command Line Installation\nid: 9465ddf4-f9e4-4ebd-8d98-702df3a93239\ndescription: Detects suspicious IIS native-code module installations via command line\nstatus: experimental\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/\nauthor: Florian Roth\ndate: 2012/12/11\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\APPCMD.EXE install module /name:*\'\n  condition: selection\nfalsepositives:\n- Unknown as it may vary from organisation to arganisation how admins use to install\n  IIS modules\nlevel: medium\n\n
\n}}'),(9957,'Issue',551,15,'T1100'),(9958,'Issue',552,1,'Suspicious MsiExec Directory'),(9959,'Issue',552,2,'Florian Roth'),(9960,'Issue',552,8,'https://twitter.com/200_okay_/status/1194765831911215104'),(9961,'Issue',552,10,'high'),(9962,'Issue',552,13,'community'),(9963,'Issue',552,14,'windows'),(9965,'Issue',552,11,'37c63b72b'),(9966,'Issue',552,12,'e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144'),(9967,'Issue',552,16,'win-proc'),(9968,'Issue',552,17,''),(9969,'Issue',552,7,''),(9970,'Issue',552,3,'Detects suspicious msiexec process starts in an uncommon directory'),(9971,'Issue',552,4,''),(9972,'Issue',552,5,'_False Positives_\nUnknown'),(9973,'Issue',552,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\msiexec.exe AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\*))))\nindex: so-*\nname: Suspicious MsiExec Directory\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9974,'Issue',552,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious MsiExec Directory\nid: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144\nstatus: experimental\ndescription: Detects suspicious msiexec process starts in an uncommon directory\nreferences:\n- https://twitter.com/200_okay_/status/1194765831911215104\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/11/14\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\msiexec.exe\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9975,'Issue',552,15,'T1036'),(9976,'Issue',553,1,'MsiExec Web Install'),(9977,'Issue',553,2,'Florian Roth'),(9978,'Issue',553,8,'https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/'),(9979,'Issue',553,10,'medium'),(9980,'Issue',553,13,'community'),(9981,'Issue',553,14,'windows'),(9982,'Issue',553,15,''),(9983,'Issue',553,11,'2175aa08b'),(9984,'Issue',553,12,'f7b5f842-a6af-4da5-9e95-e32478f3cd2f'),(9985,'Issue',553,16,'win-proc'),(9986,'Issue',553,17,''),(9987,'Issue',553,7,''),(9988,'Issue',553,3,'Detects suspicious msiexec process starts with web addreses as parameter'),(9989,'Issue',553,4,''),(9990,'Issue',553,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9991,'Issue',553,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ msiexec*\\:\\/\\/*))\nindex: so-*\nname: MsiExec Web Install\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(9992,'Issue',553,9,'{{collapse(View Sigma)\n
\n\ntitle: MsiExec Web Install\nid: f7b5f842-a6af-4da5-9e95-e32478f3cd2f\nstatus: experimental\ndescription: Detects suspicious msiexec process starts with web addreses as parameter\nreferences:\n- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\ntags:\n- attack.defense_evasion\nauthor: Florian Roth\ndate: 2018/02/09\nmodified: 2012/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* msiexec*://*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(9993,'Issue',554,1,'Malicious Payload Download via Office Binaries'),(9994,'Issue',554,2,'Beyu Denis, oscd.community'),(9995,'Issue',554,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\nhttps://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\nReegun J (OCBC Bank)'),(9996,'Issue',554,10,'high'),(9997,'Issue',554,13,'community'),(9998,'Issue',554,14,'windows'),(10000,'Issue',554,11,'8099ea1df'),(10001,'Issue',554,12,'0c79148b-118e-472b-bdb7-9b57b444cc19'),(10002,'Issue',554,16,'win-proc'),(10003,'Issue',554,17,''),(10004,'Issue',554,7,''),(10005,'Issue',554,3,'Downloads payload from remote server'),(10006,'Issue',554,4,''),(10007,'Issue',554,5,'_False Positives_\nUnknown'),(10008,'Issue',554,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\powerpnt.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND process.command_line.keyword:*http*)\nindex: so-*\nname: Malicious Payload Download via Office Binaries\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10009,'Issue',554,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Payload Download via Office Binaries\nid: 0c79148b-118e-472b-bdb7-9b57b444cc19\nstatus: experimental\ndescription: Downloads payload from remote server\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\n- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\n- Reegun J (OCBC Bank)\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.command_and_control\n- attack.t1105\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith:\n    - \\powerpnt.exe\n    - \\winword.exe\n    - \\excel.exe\n    CommandLine|contains: http\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10010,'Issue',554,15,'T1105'),(10011,'Issue',555,1,'Net.exe Execution'),(10012,'Issue',555,2,'Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)'),(10013,'Issue',555,8,'https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\nhttps://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html'),(10014,'Issue',555,10,'low'),(10015,'Issue',555,13,'community'),(10016,'Issue',555,14,'windows'),(10018,'Issue',555,11,'8e384336b'),(10019,'Issue',555,12,'183e7ea8-ac4b-4c23-9aec-b3dac4e401ac'),(10020,'Issue',555,16,'win-proc'),(10021,'Issue',555,17,''),(10022,'Issue',555,7,''),(10023,'Issue',555,3,'Detects execution of Net.exe, whether suspicious or benign.'),(10024,'Issue',555,4,''),(10025,'Issue',555,5,'_False Positives_\nWill need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10026,'Issue',555,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:(*\\ group* OR *\\ localgroup* OR *\\ user* OR *\\ view* OR *\\ share OR *\\ accounts* OR *\\ use* OR *\\ stop\\ *))\nindex: so-*\nname: Net.exe Execution\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10027,'Issue',555,9,'{{collapse(View Sigma)\n
\n\ntitle: Net.exe Execution\nid: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac\nstatus: experimental\ndescription: Detects execution of Net.exe, whether suspicious or benign.\nreferences:\n- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\n- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\n- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\n- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html\nauthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community\n  (improvements)\ndate: 2019/01/16\ntags:\n- attack.s0039\n- attack.t1027\n- attack.t1049\n- attack.t1077\n- attack.t1135\n- attack.lateral_movement\n- attack.discovery\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\net.exe\'\n    - \'*\\net1.exe\'\n  cmdline:\n    CommandLine:\n    - \'* group*\'\n    - \'* localgroup*\'\n    - \'* user*\'\n    - \'* view*\'\n    - \'* share\'\n    - \'* accounts*\'\n    - \'* use*\'\n    - \'* stop *\'\n  condition: selection and cmdline\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine\n  following the search for easy hunting by computer/CommandLine.\nlevel: low\n\n
\n}}'),(10028,'Issue',555,15,'T1027'),(10029,'Issue',555,15,'T1049'),(10030,'Issue',555,15,'T1077'),(10031,'Issue',555,15,'T1135'),(10032,'Issue',556,1,'Suspicious Netsh DLL Persistence'),(10033,'Issue',556,2,'Victor Sergeev, oscd.community'),(10034,'Issue',556,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md'),(10035,'Issue',556,10,'high'),(10036,'Issue',556,13,'community'),(10037,'Issue',556,14,'windows'),(10039,'Issue',556,11,'bc3cec555'),(10040,'Issue',556,12,'56321594-9087-49d9-bf10-524fe8479452'),(10041,'Issue',556,16,'win-proc'),(10042,'Issue',556,17,''),(10043,'Issue',556,7,''),(10044,'Issue',556,3,'Detects persitence via netsh helper'),(10045,'Issue',556,4,''),(10046,'Issue',556,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10047,'Issue',556,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\netsh.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:*helper*)\nindex: so-*\nname: Suspicious Netsh DLL Persistence\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10048,'Issue',556,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n    - attack.persistence\n    - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n    category: process_creation\n    product: windows   \ndetection:\n    selection:\n        Image|endswith: \'\\netsh.exe\'\n        CommandLine|contains|all:\n            - \'add\'\n            - \'helper\'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n\n
\n}}'),(10049,'Issue',556,15,'T1128'),(10050,'Issue',557,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)'),(10051,'Issue',557,2,'Thomas Patzke'),(10052,'Issue',557,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm'),(10053,'Issue',557,10,'high'),(10054,'Issue',557,13,'community'),(10055,'Issue',557,14,'windows'),(10057,'Issue',557,11,'49e9852da'),(10058,'Issue',557,12,'2afafd61-6aae-4df4-baed-139fa1f4c345'),(10059,'Issue',557,16,'win-proc'),(10060,'Issue',557,17,''),(10061,'Issue',557,7,''),(10062,'Issue',557,3,'Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)'),(10063,'Issue',557,4,''),(10064,'Issue',557,5,'_False Positives_\nNTDS maintenance'),(10065,'Issue',557,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\ntdsutil*)\nindex: so-*\nname: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10066,'Issue',557,9,'{{collapse(View Sigma)\n
\n\ntitle: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\nid: 2afafd61-6aae-4df4-baed-139fa1f4c345\ndescription: Detects execution of ntdsutil.exe, which can be used for various attacks\n  against the NTDS database (NTDS.DIT)\nstatus: experimental\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm\nauthor: Thomas Patzke\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\ntdsutil*\'\n  condition: selection\nfalsepositives:\n- NTDS maintenance\nlevel: high\n\n
\n}}'),(10067,'Issue',557,15,'T1003'),(10068,'Issue',558,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe'),(10069,'Issue',558,2,'Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community'),(10070,'Issue',558,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\nhttps://twitter.com/Hexacorn/status/1187143326673330176'),(10071,'Issue',558,10,'medium'),(10072,'Issue',558,13,'community'),(10073,'Issue',558,14,'windows'),(10075,'Issue',558,11,'0c974e293'),(10076,'Issue',558,12,'65d2be45-8600-4042-b4c0-577a1ff8a60e'),(10077,'Issue',558,16,'win-proc'),(10078,'Issue',558,17,''),(10079,'Issue',558,7,''),(10080,'Issue',558,3,'Detects defence evasion attempt via odbcconf.exe execution to load DLL'),(10081,'Issue',558,4,''),(10082,'Issue',558,5,'_False Positives_\nLegitimate use of odbcconf.exe by legitimate user'),(10083,'Issue',558,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\odbcconf.exe AND process.command_line.keyword:(*\\-f* OR *regsvr*)) OR (process.parent.executable.keyword:*\\\\odbcconf.exe AND process.executable.keyword:*\\\\rundll32.exe)))\nindex: so-*\nname: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10084,'Issue',558,9,'{{collapse(View Sigma)\n
\n\ntitle: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\nid: 65d2be45-8600-4042-b4c0-577a1ff8a60e\ndescription: Detects defence evasion attempt via odbcconf.exe execution to load DLL\nstatus: experimental\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\n- https://twitter.com/Hexacorn/status/1187143326673330176\nauthor: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/07\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\odbcconf.exe\n    CommandLine|contains:\n    - -f\n    - regsvr\n  selection_2:\n    ParentImage|endswith: \\odbcconf.exe\n    Image|endswith: \\rundll32.exe\n  condition: selection_1 or selection_2\nlevel: medium\nfalsepositives:\n- Legitimate use of odbcconf.exe by legitimate user\n\n
\n}}'),(10085,'Issue',558,15,'T1218'),(10086,'Issue',559,1,'OpenWith.exe Executes Specified Binary'),(10087,'Issue',559,2,'Beyu Denis, oscd.community (rule), @harr0ey (idea)'),(10088,'Issue',559,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\nhttps://twitter.com/harr0ey/status/991670870384021504'),(10089,'Issue',559,10,'high'),(10090,'Issue',559,13,'community'),(10091,'Issue',559,14,'windows'),(10093,'Issue',559,11,'1e6152842'),(10094,'Issue',559,12,'cec8e918-30f7-4e2d-9bfa-a59cc97ae60f'),(10095,'Issue',559,16,'win-proc'),(10096,'Issue',559,17,''),(10097,'Issue',559,7,''),(10098,'Issue',559,3,'The OpenWith.exe executes other binary'),(10099,'Issue',559,4,''),(10100,'Issue',559,5,'_False Positives_\nLegitimate use of OpenWith.exe by legitimate user'),(10101,'Issue',559,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\OpenWith.exe AND process.command_line.keyword:*\\/c*)\nindex: so-*\nname: OpenWith.exe Executes Specified Binary\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10102,'Issue',559,9,'{{collapse(View Sigma)\n
\n\ntitle: OpenWith.exe Executes Specified Binary\nid: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f\nstatus: experimental\ndescription: The OpenWith.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\n- https://twitter.com/harr0ey/status/991670870384021504\nauthor: Beyu Denis, oscd.community (rule), @harr0ey (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\OpenWith.exe\n    CommandLine|contains: /c\n  condition: selection\nfalsepositives:\n- Legitimate use of OpenWith.exe by legitimate user\n\n
\n}}'),(10103,'Issue',559,15,'T1218'),(10104,'Issue',560,1,'Suspicious Execution from Outlook'),(10105,'Issue',560,2,'Markus Neis'),(10106,'Issue',560,8,'https://github.com/sensepost/ruler\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html'),(10107,'Issue',560,10,'high'),(10108,'Issue',560,13,'community'),(10109,'Issue',560,14,'windows'),(10111,'Issue',560,11,'294e47aa7'),(10112,'Issue',560,12,'e212d415-0e93-435f-9e1a-f29005bb4723'),(10113,'Issue',560,16,'win-proc'),(10114,'Issue',560,17,''),(10115,'Issue',560,7,''),(10116,'Issue',560,3,'Detects EnableUnsafeClientMailRules used for Script Execution from Outlook'),(10117,'Issue',560,4,''),(10118,'Issue',560,5,'_False Positives_\nunknown'),(10119,'Issue',560,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*EnableUnsafeClientMailRules* OR (process.parent.executable.keyword:*\\\\outlook.exe AND process.command_line.keyword:\\\\\\\\*\\\\*.exe)))\nindex: so-*\nname: Suspicious Execution from Outlook\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10120,'Issue',560,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Execution from Outlook\nid: e212d415-0e93-435f-9e1a-f29005bb4723\nstatus: experimental\ndescription: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook\nreferences:\n- https://github.com/sensepost/ruler\n- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1202\nauthor: Markus Neis\ndate: 2018/12/27\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  clientMailRules:\n    CommandLine: \'*EnableUnsafeClientMailRules*\'\n  outlookExec:\n    ParentImage: \'*\\outlook.exe\'\n    CommandLine: \\\\\\\\*\\\\*.exe\n  condition: clientMailRules or outlookExec\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10121,'Issue',560,15,'T1059'),(10122,'Issue',560,15,'T1202'),(10123,'Issue',561,1,'Execution in Outlook Temp Folder'),(10124,'Issue',561,2,'Florian Roth'),(10125,'Issue',561,8,'none'),(10126,'Issue',561,10,'high'),(10127,'Issue',561,13,'community'),(10128,'Issue',561,14,'windows'),(10130,'Issue',561,11,'1162b3913'),(10131,'Issue',561,12,'a018fdc3-46a3-44e5-9afb-2cd4af1d4b39'),(10132,'Issue',561,16,'win-proc'),(10133,'Issue',561,17,''),(10134,'Issue',561,7,''),(10135,'Issue',561,3,'Detects a suspicious program execution in Outlook temp folder'),(10136,'Issue',561,4,''),(10137,'Issue',561,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10138,'Issue',561,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\*)\nindex: so-*\nname: Execution in Outlook Temp Folder\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10139,'Issue',561,9,'{{collapse(View Sigma)\n
\n\ntitle: Execution in Outlook Temp Folder\nid: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39\nstatus: experimental\ndescription: Detects a suspicious program execution in Outlook temp folder\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10140,'Issue',561,15,'T1193'),(10141,'Issue',562,1,'Ping Hex IP'),(10142,'Issue',562,2,'Florian Roth'),(10143,'Issue',562,8,'https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\nhttps://twitter.com/vysecurity/status/977198418354491392'),(10144,'Issue',562,10,'high'),(10145,'Issue',562,13,'community'),(10146,'Issue',562,14,'windows'),(10148,'Issue',562,11,'478a5066b'),(10149,'Issue',562,12,'1a0d4aba-7668-4365-9ce4-6d79ab088dfd'),(10150,'Issue',562,16,'win-proc'),(10151,'Issue',562,17,''),(10152,'Issue',562,7,''),(10153,'Issue',562,3,'Detects a ping command that uses a hex encoded IP address'),(10154,'Issue',562,4,''),(10155,'Issue',562,5,'_False Positives_\nUnlikely, because no sane admin pings IP addresses in a hexadecimal form\n\n_Interesting Log Fields_\nParentCommandLine'),(10156,'Issue',562,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\ping.exe\\ 0x* OR *\\\\ping\\ 0x*))\nindex: so-*\nname: Ping Hex IP\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10157,'Issue',562,9,'{{collapse(View Sigma)\n
\n\ntitle: Ping Hex IP\nid: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd\ndescription: Detects a ping command that uses a hex encoded IP address\nreferences:\n- https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\n- https://twitter.com/vysecurity/status/977198418354491392\nauthor: Florian Roth\ndate: 2018/03/23\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1027\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\ping.exe 0x*\'\n    - \'*\\ping 0x*\'\n  condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Unlikely, because no sane admin pings IP addresses in a hexadecimal form\nlevel: high\n\n
\n}}'),(10158,'Issue',562,15,'T1140'),(10159,'Issue',562,15,'T1027'),(10160,'Issue',563,1,'Empire PowerShell Launch Parameters'),(10161,'Issue',563,2,'Florian Roth'),(10162,'Issue',563,8,'https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64'),(10163,'Issue',563,10,'critical'),(10164,'Issue',563,13,'community'),(10165,'Issue',563,14,'windows'),(10167,'Issue',563,11,'182824220'),(10168,'Issue',563,12,'79f4ede3-402e-41c8-bc3e-ebbf5f162581'),(10169,'Issue',563,16,'win-proc'),(10170,'Issue',563,17,''),(10171,'Issue',563,7,''),(10172,'Issue',563,3,'Detects suspicious powershell command line parameters used in Empire'),(10173,'Issue',563,4,''),(10174,'Issue',563,5,'_False Positives_\n Unknown'),(10175,'Issue',563,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-sta\\ \\-NonI\\ \\-W\\ Hidden\\ \\-Enc\\ * OR *\\ \\-noP\\ \\-sta\\ \\-w\\ 1\\ \\-enc\\ * OR *\\ \\-NoP\\ \\-NonI\\ \\-W\\ Hidden\\ \\-enc\\ *))\nindex: so-*\nname: Empire PowerShell Launch Parameters\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10176,'Issue',563,9,'{{collapse(View Sigma)\n
\n\ntitle: Empire PowerShell Launch Parameters\nid: 79f4ede3-402e-41c8-bc3e-ebbf5f162581\ndescription: Detects suspicious powershell command line parameters used in Empire\nstatus: experimental\nreferences:\n- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nauthor: Florian Roth\ndate: 2019/04/20\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -NoP -sta -NonI -W Hidden -Enc *\'\n    - \'* -noP -sta -w 1 -enc *\'\n    - \'* -NoP -NonI -W Hidden -enc *\'\n  condition: selection\nlevel: critical\n\n
\n}}'),(10177,'Issue',563,15,'T1086'),(10178,'Issue',564,1,'Empire PowerShell UAC Bypass'),(10179,'Issue',564,2,'Ecco'),(10180,'Issue',564,8,'https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64'),(10181,'Issue',564,10,'critical'),(10182,'Issue',564,13,'community'),(10183,'Issue',564,14,'windows'),(10185,'Issue',564,11,'517422778'),(10186,'Issue',564,12,'3268b746-88d8-4cd3-bffc-30077d02c787'),(10187,'Issue',564,16,'win-proc'),(10188,'Issue',564,17,''),(10189,'Issue',564,7,''),(10190,'Issue',564,3,'Detects some Empire PowerShell UAC bypass methods'),(10191,'Issue',564,4,''),(10192,'Issue',564,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10193,'Issue',564,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-NonI\\ \\-w\\ Hidden\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\)* OR *\\ \\-NoP\\ \\-NonI\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\);*))\nindex: so-*\nname: Empire PowerShell UAC Bypass\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10194,'Issue',564,9,'{{collapse(View Sigma)\n
\n\ntitle: Empire PowerShell UAC Bypass\nid: 3268b746-88d8-4cd3-bffc-30077d02c787\nstatus: experimental\ndescription: Detects some Empire PowerShell UAC bypass methods\nreferences:\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64\nauthor: Ecco\ndate: 2019/08/30\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\'\n    - \'* -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(10195,'Issue',564,15,'T1088'),(10196,'Issue',565,1,'Suspicious Encoded PowerShell Command Line'),(10197,'Issue',565,2,'Florian Roth, Markus Neis'),(10198,'Issue',565,8,'https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e'),(10199,'Issue',565,10,'high'),(10200,'Issue',565,13,'community'),(10201,'Issue',565,14,'windows'),(10203,'Issue',565,11,'9528c3459'),(10204,'Issue',565,12,'ca2092a1-c273-4878-9b4b-0d60115bf5ea'),(10205,'Issue',565,16,'win-proc'),(10206,'Issue',565,17,''),(10207,'Issue',565,7,''),(10208,'Issue',565,3,'Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)'),(10209,'Issue',565,4,''),(10210,'Issue',565,5,'_False Positives_\n Unknown'),(10211,'Issue',565,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e\\ JAB* OR *\\ \\-e\\ \\ JAB* OR *\\ \\-e\\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ \\ JAB* OR *\\ \\-en\\ JAB* OR *\\ \\-enc\\ JAB* OR *\\ \\-enc*\\ JAB* OR *\\ \\-w\\ hidden\\ \\-e*\\ JAB* OR *\\ BA\\^J\\ e\\- OR *\\ \\-e\\ SUVYI* OR *\\ \\-e\\ aWV4I* OR *\\ \\-e\\ SQBFAFgA* OR *\\ \\-e\\ aQBlAHgA* OR *\\ \\-enc\\ SUVYI* OR *\\ \\-enc\\ aWV4I* OR *\\ \\-enc\\ SQBFAFgA* OR *\\ \\-enc\\ aQBlAHgA*) AND (NOT (process.command_line.keyword:*\\ \\-ExecutionPolicy\\ remotesigned\\ *)))\nindex: so-*\nname: Suspicious Encoded PowerShell Command Line\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10212,'Issue',565,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Encoded PowerShell Command Line\nid: ca2092a1-c273-4878-9b4b-0d60115bf5ea\ndescription: Detects suspicious powershell process starts with base64 encoded commands\n  (e.g. Emotet)\nstatus: experimental\nreferences:\n- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e\nauthor: Florian Roth, Markus Neis\ndate: 2018/09/03\nmodified: 2019/12/16\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* -e JAB*\'\n    - \'* -e  JAB*\'\n    - \'* -e   JAB*\'\n    - \'* -e    JAB*\'\n    - \'* -e     JAB*\'\n    - \'* -e      JAB*\'\n    - \'* -en JAB*\'\n    - \'* -enc JAB*\'\n    - \'* -enc* JAB*\'\n    - \'* -w hidden -e* JAB*\'\n    - \'* BA^J e-\'\n    - \'* -e SUVYI*\'\n    - \'* -e aWV4I*\'\n    - \'* -e SQBFAFgA*\'\n    - \'* -e aQBlAHgA*\'\n    - \'* -enc SUVYI*\'\n    - \'* -enc aWV4I*\'\n    - \'* -enc SQBFAFgA*\'\n    - \'* -enc aQBlAHgA*\'\n  falsepositive1:\n    CommandLine: \'* -ExecutionPolicy remotesigned *\'\n  condition: selection and not falsepositive1\nlevel: high\n\n
\n}}'),(10213,'Issue',565,15,'T1086'),(10214,'Issue',566,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines'),(10215,'Issue',566,2,'John Lambert (rule)'),(10216,'Issue',566,8,'http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/'),(10217,'Issue',566,10,'high'),(10218,'Issue',566,13,'community'),(10219,'Issue',566,14,'windows'),(10221,'Issue',566,11,'7ae9f0c0e'),(10222,'Issue',566,12,'f26c6093-6f14-4b12-800f-0fcb46f5ffd0'),(10223,'Issue',566,16,'win-proc'),(10224,'Issue',566,17,''),(10225,'Issue',566,7,''),(10226,'Issue',566,3,'Detects base64 encoded strings used in hidden malicious PowerShell command lines'),(10227,'Issue',566,4,''),(10228,'Issue',566,5,'_False Positives_\nPenetration tests'),(10229,'Issue',566,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*\\ hidden\\ * AND process.command_line.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))\nindex: so-*\nname: Malicious Base64 Encoded PowerShell Keywords in Command Lines\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10230,'Issue',566,9,'{{collapse(View Sigma)\n
\n\ntitle: Malicious Base64 Encoded PowerShell Keywords in Command Lines\nid: f26c6093-6f14-4b12-800f-0fcb46f5ffd0\nstatus: experimental\ndescription: Detects base64 encoded strings used in hidden malicious PowerShell command\n  lines\nreferences:\n- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/\ntags:\n- attack.execution\n- attack.t1086\nauthor: John Lambert (rule)\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  encoded:\n    Image: \'*\\powershell.exe\'\n    CommandLine: \'* hidden *\'\n  selection:\n    CommandLine:\n    - \'*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*\'\n    - \'*aXRzYWRtaW4gL3RyYW5zZmVy*\'\n    - \'*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*\'\n    - \'*JpdHNhZG1pbiAvdHJhbnNmZX*\'\n    - \'*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*\'\n    - \'*Yml0c2FkbWluIC90cmFuc2Zlc*\'\n    - \'*AGMAaAB1AG4AawBfAHMAaQB6AGUA*\'\n    - \'*JABjAGgAdQBuAGsAXwBzAGkAegBlA*\'\n    - \'*JGNodW5rX3Npem*\'\n    - \'*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*\'\n    - \'*RjaHVua19zaXpl*\'\n    - \'*Y2h1bmtfc2l6Z*\'\n    - \'*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*\'\n    - \'*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*\'\n    - \'*lPLkNvbXByZXNzaW9u*\'\n    - \'*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*\'\n    - \'*SU8uQ29tcHJlc3Npb2*\'\n    - \'*Ty5Db21wcmVzc2lvb*\'\n    - \'*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*\'\n    - \'*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*\'\n    - \'*lPLk1lbW9yeVN0cmVhb*\'\n    - \'*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*\'\n    - \'*SU8uTWVtb3J5U3RyZWFt*\'\n    - \'*Ty5NZW1vcnlTdHJlYW*\'\n    - \'*4ARwBlAHQAQwBoAHUAbgBrA*\'\n    - \'*5HZXRDaHVua*\'\n    - \'*AEcAZQB0AEMAaAB1AG4Aaw*\'\n    - \'*LgBHAGUAdABDAGgAdQBuAGsA*\'\n    - \'*LkdldENodW5r*\'\n    - \'*R2V0Q2h1bm*\'\n    - \'*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*\'\n    - \'*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*\'\n    - \'*RIUkVBRF9JTkZPNj*\'\n    - \'*SFJFQURfSU5GTzY0*\'\n    - \'*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*\'\n    - \'*VEhSRUFEX0lORk82N*\'\n    - \'*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*\'\n    - \'*cmVhdGVSZW1vdGVUaHJlYW*\'\n    - \'*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*\'\n    - \'*NyZWF0ZVJlbW90ZVRocmVhZ*\'\n    - \'*Q3JlYXRlUmVtb3RlVGhyZWFk*\'\n    - \'*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*\'\n    - \'*0AZQBtAG0AbwB2AGUA*\'\n    - \'*1lbW1vdm*\'\n    - \'*AGUAbQBtAG8AdgBlA*\'\n    - \'*bQBlAG0AbQBvAHYAZQ*\'\n    - \'*bWVtbW92Z*\'\n    - \'*ZW1tb3Zl*\'\n  condition: encoded and selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(10231,'Issue',566,15,'T1086'),(10232,'Issue',567,1,'Suspicious PowerShell Invocation Based on Parent Process'),(10233,'Issue',567,2,'Florian Roth'),(10234,'Issue',567,8,'https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/'),(10235,'Issue',567,10,'medium'),(10236,'Issue',567,13,'community'),(10237,'Issue',567,14,'windows'),(10239,'Issue',567,11,'770115f6d'),(10240,'Issue',567,12,'95eadcb2-92e4-4ed1-9031-92547773a6db'),(10241,'Issue',567,16,'win-proc'),(10242,'Issue',567,17,''),(10243,'Issue',567,7,''),(10244,'Issue',567,3,'Detects suspicious powershell invocations from interpreters or unusual programs'),(10245,'Issue',567,4,''),(10246,'Issue',567,5,'_False Positives_\nMicrosoft Operations Manager (MOM)\nOther scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10247,'Issue',567,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.executable.keyword:(*\\\\powershell.exe)) AND (NOT (process.working_directory\".keyword:*\\\\Health\\ Service\\ State\\\\*)))\nindex: so-*\nname: Suspicious PowerShell Invocation Based on Parent Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10248,'Issue',567,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious PowerShell Invocation Based on Parent Process\nid: 95eadcb2-92e4-4ed1-9031-92547773a6db\nstatus: experimental\ndescription: Detects suspicious powershell invocations from interpreters or unusual\n  programs\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    Image:\n    - \'*\\powershell.exe\'\n  falsepositive:\n    CurrentDirectory: \'*\\Health Service State\\\\*\'\n  condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Microsoft Operations Manager (MOM)\n- Other scripts\nlevel: medium\n\n
\n}}'),(10249,'Issue',567,15,'T1086'),(10250,'Issue',568,1,'Suspicious Use of Procdump'),(10251,'Issue',568,2,'Florian Roth'),(10252,'Issue',568,8,'Internal Research'),(10253,'Issue',568,10,'high'),(10254,'Issue',568,13,'community'),(10255,'Issue',568,14,'windows'),(10257,'Issue',568,11,'5a6ba744a'),(10258,'Issue',568,12,'5afee48e-67dd-4e03-a783-f74259dcf998'),(10259,'Issue',568,16,'win-proc'),(10260,'Issue',568,17,''),(10261,'Issue',568,7,''),(10262,'Issue',568,3,'Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we\'re also able to catch cases in which the attacker has renamed the procdump executable.'),(10263,'Issue',568,4,''),(10264,'Issue',568,5,'_False Positives_\nUnlikely, because no one should dump an lsass process memory\nAnother tool that uses the command line switches of Procdump'),(10265,'Issue',568,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-ma\\ *) AND process.command_line.keyword:(*\\ lsass*)) OR process.command_line.keyword:(*\\ \\-ma\\ ls*)))\nindex: so-*\nname: Suspicious Use of Procdump\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10266,'Issue',568,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Use of Procdump\nid: 5afee48e-67dd-4e03-a783-f74259dcf998\ndescription: Detects suspicious uses of the SysInternals Procdump utility by using\n  a special command line parameter in combination with the lsass.exe process. This\n  way we\'re also able to catch cases in which the attacker has renamed the procdump\n  executable.\nstatus: experimental\nreferences:\n- Internal Research\nauthor: Florian Roth\ndate: 2018/10/30\nmodified: 2019/10/14\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n    - \'* -ma *\'\n  selection2:\n    CommandLine:\n    - \'* lsass*\'\n  selection3:\n    CommandLine:\n    - \'* -ma ls*\'\n  condition: ( selection1 and selection2 ) or selection3\nfalsepositives:\n- Unlikely, because no one should dump an lsass process memory\n- Another tool that uses the command line switches of Procdump\nlevel: high\n\n
\n}}'),(10267,'Issue',568,15,'T1036'),(10268,'Issue',568,15,'T1003'),(10269,'Issue',569,1,'Suspicious Process Creation'),(10270,'Issue',569,2,'Florian Roth, Daniil Yugoslavskiy, oscd.community (update)'),(10271,'Issue',569,8,'https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\nhttps://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\nhttps://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\nhttps://twitter.com/subTee/status/872244674609676288\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\nhttps://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\nhttps://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\nhttps://twitter.com/vector_sec/status/896049052642533376\nhttp://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf'),(10272,'Issue',569,10,'medium'),(10273,'Issue',569,13,'community'),(10274,'Issue',569,14,'windows'),(10275,'Issue',569,15,''),(10276,'Issue',569,11,'fb8d9b1f4'),(10277,'Issue',569,12,'5f0f47a5-cb16-4dbe-9e31-e8d976d73de3'),(10278,'Issue',569,16,'win-proc'),(10279,'Issue',569,17,''),(10280,'Issue',569,7,''),(10281,'Issue',569,3,'Detects suspicious process starts on Windows systems based on keywords'),(10282,'Issue',569,4,''),(10283,'Issue',569,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10284,'Issue',569,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\\"Domain\\ Admins\\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *))\nindex: so-*\nname: Suspicious Process Creation\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10285,'Issue',569,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Process Creation\nid: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3\ndescription: Detects suspicious process starts on Windows systems based on keywords\nstatus: experimental\nreferences:\n- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\n- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\n- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n- https://twitter.com/subTee/status/872244674609676288\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\n- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\n- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\n- https://twitter.com/vector_sec/status/896049052642533376\n- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf\nauthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)\ndate: 2018/01/01\nmodified: 2019/11/01\ntags:\n- car.2013-07-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* sekurlsa:*\'\n    - net localgroup administrators * /add\n    - net group \"Domain Admins\" * /ADD /DOMAIN\n    - certutil.exe *-urlcache* http*\n    - certutil.exe *-urlcache* ftp*\n    - netsh advfirewall firewall *\\AppData\\\\*\n    - attrib +S +H +R *\\AppData\\\\*\n    - schtasks* /create *\\AppData\\\\*\n    - schtasks* /sc minute*\n    - \'*\\Regasm.exe *\\AppData\\\\*\'\n    - \'*\\Regasm *\\AppData\\\\*\'\n    - \'*\\bitsadmin* /transfer*\'\n    - \'*\\certutil.exe * -decode *\'\n    - \'*\\certutil.exe * -decodehex *\'\n    - \'*\\certutil.exe -ping *\'\n    - icacls * /grant Everyone:F /T /C /Q\n    - \'* wbadmin.exe delete catalog -quiet*\'\n    - \'*\\wscript.exe *.jse\'\n    - \'*\\wscript.exe *.js\'\n    - \'*\\wscript.exe *.vba\'\n    - \'*\\wscript.exe *.vbe\'\n    - \'*\\cscript.exe *.jse\'\n    - \'*\\cscript.exe *.js\'\n    - \'*\\cscript.exe *.vba\'\n    - \'*\\cscript.exe *.vbe\'\n    - \'*\\fodhelper.exe\'\n    - \'*waitfor*/s*\'\n    - \'*waitfor*/si persist*\'\n    - \'*remote*/s*\'\n    - \'*remote*/c*\'\n    - \'*remote*/q*\'\n    - \'*AddInProcess*\'\n    - \'* /stext *\'\n    - \'* /scomma *\'\n    - \'* /stab *\'\n    - \'* /stabular *\'\n    - \'* /shtml *\'\n    - \'* /sverhtml *\'\n    - \'* /sxml *\'\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10286,'Issue',570,1,'Suspicious Program Location Process Starts'),(10287,'Issue',570,2,'Florian Roth'),(10288,'Issue',570,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(10289,'Issue',570,10,'high'),(10290,'Issue',570,13,'community'),(10291,'Issue',570,14,'windows'),(10293,'Issue',570,11,'8bd722168'),(10294,'Issue',570,12,'f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5'),(10295,'Issue',570,16,'win-proc'),(10296,'Issue',570,17,''),(10297,'Issue',570,7,''),(10298,'Issue',570,3,'Detects programs running in suspicious files system locations'),(10299,'Issue',570,4,''),(10300,'Issue',570,5,'_False Positives_\nunknown'),(10301,'Issue',570,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\* OR *\\\\Windows\\\\debug\\\\*))\nindex: so-*\nname: Suspicious Program Location Process Starts\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10302,'Issue',570,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Program Location Process Starts\nid: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5\nstatus: experimental\ndescription: Detects programs running in suspicious files system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/01/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\$Recycle.bin\'\n    - \'*\\Users\\Public\\\\*\'\n    - C:\\Perflogs\\\\*\n    - \'*\\Windows\\Fonts\\\\*\'\n    - \'*\\Windows\\IME\\\\*\'\n    - \'*\\Windows\\addins\\\\*\'\n    - \'*\\Windows\\debug\\\\*\'\n  condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10303,'Issue',570,15,'T1036'),(10304,'Issue',571,1,'PowerShell Script Run in AppData'),(10305,'Issue',571,2,'Florian Roth'),(10306,'Issue',571,8,'https://twitter.com/JohnLaTwC/status/1082851155481288706\nhttps://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03'),(10307,'Issue',571,10,'medium'),(10308,'Issue',571,13,'community'),(10309,'Issue',571,14,'windows'),(10311,'Issue',571,11,'42ba455ec'),(10312,'Issue',571,12,'ac175779-025a-4f12-98b0-acdaeb77ea85'),(10313,'Issue',571,16,'win-proc'),(10314,'Issue',571,17,''),(10315,'Issue',571,7,''),(10316,'Issue',571,3,'Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder'),(10317,'Issue',571,4,''),(10318,'Issue',571,5,'_False Positives_\nAdministrative scripts'),(10319,'Issue',571,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*))\nindex: so-*\nname: PowerShell Script Run in AppData\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10320,'Issue',571,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell Script Run in AppData\nid: ac175779-025a-4f12-98b0-acdaeb77ea85\nstatus: experimental\ndescription: Detects a suspicious command line execution that invokes PowerShell with\n  reference to an AppData folder\nreferences:\n- https://twitter.com/JohnLaTwC/status/1082851155481288706\n- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth\ndate: 2019/01/09\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'* /c powershell*\\AppData\\Local\\\\*\'\n    - \'* /c powershell*\\AppData\\Roaming\\\\*\'\n  condition: selection\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10321,'Issue',571,15,'T1086'),(10322,'Issue',572,1,'PowerShell DownloadFile'),(10323,'Issue',572,2,'Florian Roth'),(10324,'Issue',572,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html'),(10325,'Issue',572,10,'high'),(10326,'Issue',572,13,'community'),(10327,'Issue',572,14,'windows'),(10329,'Issue',572,11,'9c624cc24'),(10330,'Issue',572,12,'8f70ac5f-1f6f-4f8e-b454-db19561216c5'),(10331,'Issue',572,16,'win-proc'),(10332,'Issue',572,17,''),(10333,'Issue',572,7,''),(10334,'Issue',572,3,'Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line'),(10335,'Issue',572,4,''),(10336,'Issue',572,5,'_False Positives_\nUnknown'),(10337,'Issue',572,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*powershell* AND process.command_line.keyword:*.DownloadFile* AND process.command_line.keyword:*System.Net.WebClient*)\nindex: so-*\nname: PowerShell DownloadFile\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10338,'Issue',572,9,'{{collapse(View Sigma)\n
\n\ntitle: PowerShell DownloadFile\nid: 8f70ac5f-1f6f-4f8e-b454-db19561216c5\nstatus: experimental\ndescription: Detects the execution of powershell, a WebClient object creation and\n  the invocation of DownloadFile in a single command line\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains|all:\n    - powershell\n    - .DownloadFile\n    - System.Net.WebClient\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10339,'Issue',572,15,'T1086'),(10340,'Issue',573,1,'Psr.exe Capture Screenshots'),(10341,'Issue',573,2,'Beyu Denis, oscd.community'),(10342,'Issue',573,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\nhttps://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf'),(10343,'Issue',573,10,'medium'),(10344,'Issue',573,13,'community'),(10345,'Issue',573,14,'windows'),(10347,'Issue',573,11,'5688f942b'),(10348,'Issue',573,12,'2158f96f-43c2-43cb-952a-ab4580f32382'),(10349,'Issue',573,16,'win-proc'),(10350,'Issue',573,17,''),(10351,'Issue',573,7,''),(10352,'Issue',573,3,'The psr.exe captures desktop screenshots and saves them on the local machine'),(10353,'Issue',573,4,''),(10354,'Issue',573,5,'_False Positives_\nUnknown'),(10355,'Issue',573,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Psr.exe AND process.command_line.keyword:*\\/start*)\nindex: so-*\nname: Psr.exe Capture Screenshots\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10356,'Issue',573,9,'{{collapse(View Sigma)\n
\n\ntitle: Psr.exe Capture Screenshots\nid: 2158f96f-43c2-43cb-952a-ab4580f32382\nstatus: experimental\ndescription: The psr.exe captures desktop screenshots and saves them on the local\n  machine\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\n- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1218\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\Psr.exe\n    CommandLine|contains: /start\n  condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10357,'Issue',573,15,'T1218'),(10358,'Issue',574,1,'Suspicious RASdial Activity'),(10359,'Issue',574,2,'juju4'),(10360,'Issue',574,8,'https://twitter.com/subTee/status/891298217907830785'),(10361,'Issue',574,10,'medium'),(10362,'Issue',574,13,'community'),(10363,'Issue',574,14,'windows'),(10365,'Issue',574,11,'5b5babf55'),(10366,'Issue',574,12,'6bba49bf-7f8c-47d6-a1bb-6b4dece4640e'),(10367,'Issue',574,16,'win-proc'),(10368,'Issue',574,17,''),(10369,'Issue',574,7,''),(10370,'Issue',574,3,'Detects suspicious process related to rasdial.exe'),(10371,'Issue',574,4,''),(10372,'Issue',574,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10373,'Issue',574,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"rasdial\"))\nindex: so-*\nname: Suspicious RASdial Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10374,'Issue',574,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RASdial Activity\nid: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e\ndescription: Detects suspicious process related to rasdial.exe\nstatus: experimental\nreferences:\n- https://twitter.com/subTee/status/891298217907830785\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - rasdial\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10375,'Issue',574,15,'T1064'),(10376,'Issue',575,1,'Suspicious Reconnaissance Activity'),(10377,'Issue',575,2,'Florian Roth'),(10378,'Issue',575,8,'none'),(10379,'Issue',575,10,'medium'),(10380,'Issue',575,13,'community'),(10381,'Issue',575,14,'windows'),(10383,'Issue',575,11,'b1f48d3a8'),(10384,'Issue',575,12,'d95de845-b83c-4a9a-8a6a-4fc802ebf6c0'),(10385,'Issue',575,16,'win-proc'),(10386,'Issue',575,17,''),(10387,'Issue',575,7,''),(10388,'Issue',575,3,'Detects suspicious command line activity on Windows systems'),(10389,'Issue',575,4,''),(10390,'Issue',575,5,'_False Positives_\nInventory tool runs\nPenetration tests\nAdministrative activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10391,'Issue',575,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"net\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain\" OR \"net\\ localgroup\\ administrators\"))\nindex: so-*\nname: Suspicious Reconnaissance Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10392,'Issue',575,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Reconnaissance Activity\nid: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\nstatus: experimental\ndescription: Detects suspicious command line activity on Windows systems\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - net group \"domain admins\" /domain\n    - net localgroup administrators\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Inventory tool runs\n- Penetration tests\n- Administrative activity\nanalysis:\n  recommendation: Check if the user that executed the commands is suspicious (e.g.\n    service accounts, LOCAL_SYSTEM)\nlevel: medium\n\n
\n}}'),(10393,'Issue',575,15,'T1087'),(10394,'Issue',576,1,'Regsvr32 Anomaly'),(10395,'Issue',576,2,'Florian Roth'),(10396,'Issue',576,8,'https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html'),(10397,'Issue',576,10,'high'),(10398,'Issue',576,13,'community'),(10399,'Issue',576,14,'windows'),(10401,'Issue',576,11,'e316d1d1d'),(10402,'Issue',576,12,'8e2b24c9-4add-46a0-b4bb-0057b4e6187d'),(10403,'Issue',576,16,'win-proc'),(10404,'Issue',576,17,''),(10405,'Issue',576,7,''),(10406,'Issue',576,3,'Detects various anomalies in relation to regsvr32.exe'),(10407,'Issue',576,4,''),(10408,'Issue',576,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10409,'Issue',576,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:*\\\\Temp\\\\*) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\powershell.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\cmd.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:(*\\/i\\:http*\\ scrobj.dll OR *\\/i\\:ftp*\\ scrobj.dll)) OR (process.executable.keyword:*\\\\wscript.exe AND process.parent.executable.keyword:*\\\\regsvr32.exe) OR (process.executable.keyword:*\\\\EXCEL.EXE AND process.command_line.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe\\ *)))\nindex: so-*\nname: Regsvr32 Anomaly\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10410,'Issue',576,9,'{{collapse(View Sigma)\n
\n\ntitle: Regsvr32 Anomaly\nid: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\nstatus: experimental\ndescription: Detects various anomalies in relation to regsvr32.exe\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html\ntags:\n- attack.t1117\n- attack.defense_evasion\n- attack.execution\n- car.2019-04-002\n- car.2019-04-003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image: \'*\\regsvr32.exe\'\n    CommandLine: \'*\\Temp\\\\*\'\n  selection2:\n    Image: \'*\\regsvr32.exe\'\n    ParentImage: \'*\\powershell.exe\'\n  selection3:\n    Image: \'*\\regsvr32.exe\'\n    ParentImage: \'*\\cmd.exe\'\n  selection4:\n    Image: \'*\\regsvr32.exe\'\n    CommandLine:\n    - \'*/i:http* scrobj.dll\'\n    - \'*/i:ftp* scrobj.dll\'\n  selection5:\n    Image: \'*\\wscript.exe\'\n    ParentImage: \'*\\regsvr32.exe\'\n  selection6:\n    Image: \'*\\EXCEL.EXE\'\n    CommandLine: \'*..\\..\\..\\Windows\\System32\\regsvr32.exe *\'\n  condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10411,'Issue',576,15,'T1117'),(10412,'Issue',577,1,'Renamed ZOHO Dctask64'),(10413,'Issue',577,2,'Florian Roth'),(10414,'Issue',577,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(10415,'Issue',577,10,'high'),(10416,'Issue',577,13,'community'),(10417,'Issue',577,14,'windows'),(10419,'Issue',577,11,'393865805'),(10420,'Issue',577,12,'340a090b-c4e9-412e-bb36-b4b16fe96f9b'),(10421,'Issue',577,16,'win-proc'),(10422,'Issue',577,17,''),(10423,'Issue',577,7,''),(10424,'Issue',577,3,'Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation'),(10425,'Issue',577,4,''),(10426,'Issue',577,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(10427,'Issue',577,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.Imphash:\"6834B1B94E49701D77CCB3C0895E1AFD\" AND (NOT (process.executable.keyword:*\\\\dctask64.exe)))\nindex: so-*\nname: Renamed ZOHO Dctask64\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10428,'Issue',577,9,'{{collapse(View Sigma)\n
\n\ntitle: Renamed ZOHO Dctask64\nid: 340a090b-c4e9-412e-bb36-b4b16fe96f9b\nstatus: experimental\ndescription: Detects a renamed dctask64.exe used for process injection, command execution,\n  process creation with a signed binary by ZOHO Corporation\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Imphash: 6834B1B94E49701D77CCB3C0895E1AFD\n  filter:\n    Image|endswith: \\dctask64.exe\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(10429,'Issue',577,15,'T1055'),(10430,'Issue',578,1,'Suspicious Process Start Locations'),(10431,'Issue',578,2,'juju4'),(10432,'Issue',578,8,'https://car.mitre.org/wiki/CAR-2013-05-002'),(10433,'Issue',578,10,'medium'),(10434,'Issue',578,13,'community'),(10435,'Issue',578,14,'windows'),(10437,'Issue',578,11,'a6272c5e4'),(10438,'Issue',578,12,'15b75071-74cc-47e0-b4c6-b43744a62a2b'),(10439,'Issue',578,16,'win-proc'),(10440,'Issue',578,17,''),(10441,'Issue',578,7,''),(10442,'Issue',578,3,'Detects suspicious process run from unusual locations'),(10443,'Issue',578,4,''),(10444,'Issue',578,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10445,'Issue',578,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\:\\\\RECYCLER\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\debug\\\\* OR C\\:\\\\Windows\\\\fonts\\\\* OR C\\:\\\\Windows\\\\help\\\\* OR C\\:\\\\Windows\\\\drivers\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\cursors\\\\* OR C\\:\\\\Windows\\\\system32\\\\tasks\\\\*))\nindex: so-*\nname: Suspicious Process Start Locations\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10446,'Issue',578,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Process Start Locations\nid: 15b75071-74cc-47e0-b4c6-b43744a62a2b\ndescription: Detects suspicious process run from unusual locations\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-05-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\n- car.2013-05-002\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*:\\RECYCLER\\\\*\'\n    - \'*:\\SystemVolumeInformation\\\\*\'\n    - C:\\\\Windows\\\\Tasks\\\\*\n    - C:\\\\Windows\\\\debug\\\\*\n    - C:\\\\Windows\\\\fonts\\\\*\n    - C:\\\\Windows\\\\help\\\\*\n    - C:\\\\Windows\\\\drivers\\\\*\n    - C:\\\\Windows\\\\addins\\\\*\n    - C:\\\\Windows\\\\cursors\\\\*\n    - C:\\\\Windows\\\\system32\\tasks\\\\*\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10447,'Issue',578,15,'T1036'),(10448,'Issue',579,1,'Suspicious Rundll32 Activity'),(10449,'Issue',579,2,'juju4'),(10450,'Issue',579,8,'http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\nhttps://twitter.com/Hexacorn/status/885258886428725250\nhttps://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52'),(10451,'Issue',579,10,'medium'),(10452,'Issue',579,13,'community'),(10453,'Issue',579,14,'windows'),(10455,'Issue',579,11,'c359373f5'),(10456,'Issue',579,12,'e593cf51-88db-4ee1-b920-37e89012a3c9'),(10457,'Issue',579,16,'win-proc'),(10458,'Issue',579,17,''),(10459,'Issue',579,7,''),(10460,'Issue',579,3,'Detects suspicious process related to rundll32 based on arguments'),(10461,'Issue',579,4,''),(10462,'Issue',579,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10463,'Issue',579,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*))\nindex: so-*\nname: Suspicious Rundll32 Activity\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10464,'Issue',579,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Rundll32 Activity\nid: e593cf51-88db-4ee1-b920-37e89012a3c9\ndescription: Detects suspicious process related to rundll32 based on arguments\nstatus: experimental\nreferences:\n- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\n- https://twitter.com/Hexacorn/status/885258886428725250\n- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: juju4\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\rundll32.exe* url.dll,*OpenURL *\'\n    - \'*\\rundll32.exe* url.dll,*OpenURLA *\'\n    - \'*\\rundll32.exe* url.dll,*FileProtocolHandler *\'\n    - \'*\\rundll32.exe* zipfldr.dll,*RouteTheCall *\'\n    - \'*\\rundll32.exe* Shell32.dll,*Control_RunDLL *\'\n    - \'*\\rundll32.exe javascript:*\'\n    - \'* url.dll,*OpenURL *\'\n    - \'* url.dll,*OpenURLA *\'\n    - \'* url.dll,*FileProtocolHandler *\'\n    - \'* zipfldr.dll,*RouteTheCall *\'\n    - \'* Shell32.dll,*Control_RunDLL *\'\n    - \'* javascript:*\'\n    - \'*.RegisterXLL*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10465,'Issue',579,15,'T1085'),(10466,'Issue',580,1,'Suspicious Call by Ordinal'),(10467,'Issue',580,2,'Florian Roth'),(10468,'Issue',580,8,'https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\nhttps://github.com/Neo23x0/DLLRunner\nhttps://twitter.com/cyb3rops/status/1186631731543236608'),(10469,'Issue',580,10,'high'),(10470,'Issue',580,13,'community'),(10471,'Issue',580,14,'windows'),(10473,'Issue',580,11,'b8fe700a1'),(10474,'Issue',580,12,'e79a9e79-eb72-4e78-a628-0e7e8f59e89c'),(10475,'Issue',580,16,'win-proc'),(10476,'Issue',580,17,''),(10477,'Issue',580,7,''),(10478,'Issue',580,3,'Detects suspicious calls of DLLs in rundll32.dll exports by ordinal'),(10479,'Issue',580,4,''),(10480,'Issue',580,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nWindows contol panel elements have been identified as source (mmc)'),(10481,'Issue',580,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,#*)\nindex: so-*\nname: Suspicious Call by Ordinal\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10482,'Issue',580,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Call by Ordinal\nid: e79a9e79-eb72-4e78-a628-0e7e8f59e89c\ndescription: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal\nstatus: experimental\nreferences:\n- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\n- https://github.com/Neo23x0/DLLRunner\n- https://twitter.com/cyb3rops/status/1186631731543236608\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: Florian Roth\ndate: 2019/10/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\rundll32.exe *,#*\'\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\n- Windows contol panel elements have been identified as source (mmc)\nlevel: high\n\n
\n}}'),(10483,'Issue',580,15,'T1085'),(10484,'Issue',581,1,'Scheduled Task Creation'),(10485,'Issue',581,2,'Florian Roth'),(10486,'Issue',581,8,'none'),(10487,'Issue',581,10,'low'),(10488,'Issue',581,13,'community'),(10489,'Issue',581,14,'windows'),(10491,'Issue',581,11,'337aa5b57'),(10492,'Issue',581,12,'92626ddd-662c-49e3-ac59-f6535f12d189'),(10493,'Issue',581,16,'win-proc'),(10494,'Issue',581,17,''),(10495,'Issue',581,7,''),(10496,'Issue',581,3,'Detects the creation of scheduled tasks in user session'),(10497,'Issue',581,4,''),(10498,'Issue',581,5,'_False Positives_\nAdministrative activity\nSoftware installation\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10499,'Issue',581,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\schtasks.exe AND process.command_line.keyword:*\\ \\/create\\ *) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Scheduled Task Creation\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10500,'Issue',581,9,'{{collapse(View Sigma)\n
\n\ntitle: Scheduled Task Creation\nid: 92626ddd-662c-49e3-ac59-f6535f12d189\nstatus: experimental\ndescription: Detects the creation of scheduled tasks in user session\nauthor: Florian Roth\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\schtasks.exe\'\n    CommandLine: \'* /create *\'\n  filter:\n    User: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.s0111\n- car.2013-08-001\nfalsepositives:\n- Administrative activity\n- Software installation\nlevel: low\n\n
\n}}'),(10501,'Issue',581,15,'T1053'),(10502,'Issue',582,1,'WSF/JSE/JS/VBA/VBE File Execution'),(10503,'Issue',582,2,'Michael Haag'),(10504,'Issue',582,8,'none'),(10505,'Issue',582,10,'medium'),(10506,'Issue',582,13,'community'),(10507,'Issue',582,14,'windows'),(10509,'Issue',582,11,'6ed3e4c86'),(10510,'Issue',582,12,'1e33157c-53b1-41ad-bbcc-780b80b58288'),(10511,'Issue',582,16,'win-proc'),(10512,'Issue',582,17,''),(10513,'Issue',582,7,''),(10514,'Issue',582,3,'Detects suspicious file execution by wscript and cscript'),(10515,'Issue',582,4,''),(10516,'Issue',582,5,'_False Positives_\nWill need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10517,'Issue',582,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*.jse OR *.vbe OR *.js OR *.vba))\nindex: so-*\nname: WSF/JSE/JS/VBA/VBE File Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10518,'Issue',582,9,'{{collapse(View Sigma)\n
\n\ntitle: WSF/JSE/JS/VBA/VBE File Execution\nid: 1e33157c-53b1-41ad-bbcc-780b80b58288\nstatus: experimental\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Michael Haag\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wscript.exe\'\n    - \'*\\cscript.exe\'\n    CommandLine:\n    - \'*.jse\'\n    - \'*.vbe\'\n    - \'*.js\'\n    - \'*.vba\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. I recommend adding the user profile path in CommandLine if\n  it is getting too noisy.\nlevel: medium\n\n
\n}}'),(10519,'Issue',582,15,'T1064'),(10520,'Issue',583,1,'Suspicious Service Path Modification'),(10521,'Issue',583,2,'Victor Sergeev, oscd.community'),(10522,'Issue',583,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml'),(10523,'Issue',583,10,'high'),(10524,'Issue',583,13,'community'),(10525,'Issue',583,14,'windows'),(10527,'Issue',583,11,'4809892f5'),(10528,'Issue',583,12,'138d3531-8793-4f50-a2cd-f291b2863d78'),(10529,'Issue',583,16,'win-proc'),(10530,'Issue',583,17,''),(10531,'Issue',583,7,''),(10532,'Issue',583,3,'Detects service path modification to powershell/cmd'),(10533,'Issue',583,4,''),(10534,'Issue',583,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10535,'Issue',583,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*config* AND process.command_line.keyword:*binpath* AND process.command_line.keyword:(*powershell* OR *cmd*))\nindex: so-*\nname: Suspicious Service Path Modification\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10536,'Issue',583,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Service Path Modification\nid: 138d3531-8793-4f50-a2cd-f291b2863d78\ndescription: Detects service path modification to powershell/cmd\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml\ntags:\n- attack.persistence\n- attack.t1031\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_1:\n    Image|endswith: \\sc.exe\n    CommandLine|contains|all:\n    - config\n    - binpath\n  selection_2:\n    CommandLine|contains:\n    - powershell\n    - cmd\n  condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10537,'Issue',583,15,'T1031'),(10538,'Issue',584,1,'Squirrel Lolbin'),(10539,'Issue',584,2,'Karneades / Markus Neis'),(10540,'Issue',584,8,'http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\nhttp://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/'),(10541,'Issue',584,10,'high'),(10542,'Issue',584,13,'community'),(10543,'Issue',584,14,'windows'),(10544,'Issue',584,15,''),(10545,'Issue',584,11,'820e704e9'),(10546,'Issue',584,12,'fa4b21c9-0057-4493-b289-2556416ae4d7'),(10547,'Issue',584,16,'win-proc'),(10548,'Issue',584,17,''),(10549,'Issue',584,7,''),(10550,'Issue',584,3,'Detects Possible Squirrel Packages Manager as Lolbin'),(10551,'Issue',584,4,''),(10552,'Issue',584,5,'_False Positives_\n1Clipboard\nBeaker Browser\nCaret\nCollectie\nDiscord\nFigma\nFlow\nGhost\nGitHub Desktop\nGitKraken\nHyper\nInsomnia\nJIBO\nKap\nKitematic\nNow Desktop\nPostman\nPostmanCanary\nRambox\nSimplenote\nSkype\nSlack\nSourceTree\nStride\nSvgsus\nWebTorrent\nWhatsApp\nWordPress.com\natom\ngitkraken\nslack\nteams'),(10553,'Issue',584,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\update.exe) AND process.command_line.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *\\-\\-createShortcut*.exe*))\nindex: so-*\nname: Squirrel Lolbin\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10554,'Issue',584,9,'{{collapse(View Sigma)\n
\n\ntitle: Squirrel Lolbin\nid: fa4b21c9-0057-4493-b289-2556416ae4d7\nstatus: experimental\ndescription: Detects Possible Squirrel Packages Manager as Lolbin\nreferences:\n- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\ntags:\n- attack.execution\nauthor: Karneades / Markus Neis\ndate: 2019/11/12\nfalsepositives:\n- 1Clipboard\n- Beaker Browser\n- Caret\n- Collectie\n- Discord\n- Figma\n- Flow\n- Ghost\n- GitHub Desktop\n- GitKraken\n- Hyper\n- Insomnia\n- JIBO\n- Kap\n- Kitematic\n- Now Desktop\n- Postman\n- PostmanCanary\n- Rambox\n- Simplenote\n- Skype\n- Slack\n- SourceTree\n- Stride\n- Svgsus\n- WebTorrent\n- WhatsApp\n- WordPress.com\n- atom\n- gitkraken\n- slack\n- teams\nlevel: high\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\update.exe\'\n    CommandLine:\n    - \'*--processStart*.exe*\'\n    - \'*--processStartAndWait*.exe*\'\n    - \'*--createShortcut*.exe*\'\n  condition: selection\n\n
\n}}'),(10555,'Issue',585,1,'Suspicious Svchost Process'),(10556,'Issue',585,2,'Florian Roth'),(10557,'Issue',585,8,'none'),(10558,'Issue',585,10,'high'),(10559,'Issue',585,13,'community'),(10560,'Issue',585,14,'windows'),(10562,'Issue',585,11,'e79b5ce03'),(10563,'Issue',585,12,'01d2e2a1-5f09-44f7-9fc1-24faa7479b6d'),(10564,'Issue',585,16,'win-proc'),(10565,'Issue',585,17,''),(10566,'Issue',585,7,''),(10567,'Issue',585,3,'Detects a suspicious svchost process start'),(10568,'Issue',585,4,''),(10569,'Issue',585,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10570,'Issue',585,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\svchost.exe AND (NOT (process.parent.executable.keyword:(*\\\\services.exe OR *\\\\MsMpEng.exe OR *\\\\Mrt.exe OR *\\\\rpcnet.exe OR *\\\\svchost.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Suspicious Svchost Process\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10571,'Issue',585,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Svchost Process\nid: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d\nstatus: experimental\ndescription: Detects a suspicious svchost process start\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2017/08/15\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\svchost.exe\'\n  filter:\n    ParentImage:\n    - \'*\\services.exe\'\n    - \'*\\MsMpEng.exe\'\n    - \'*\\Mrt.exe\'\n    - \'*\\rpcnet.exe\'\n    - \'*\\svchost.exe\'\n  filter_null:\n    ParentImage:\n  condition: selection and not filter and not filter_null\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10572,'Issue',585,15,'T1036'),(10573,'Issue',586,1,'Suspect Svchost Activity'),(10574,'Issue',586,2,'David Burkett'),(10575,'Issue',586,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2'),(10576,'Issue',586,10,'critical'),(10577,'Issue',586,13,'community'),(10578,'Issue',586,14,'windows'),(10580,'Issue',586,11,'df188a171'),(10581,'Issue',586,12,'16c37b52-b141-42a5-a3ea-bbe098444397'),(10582,'Issue',586,16,'win-proc'),(10583,'Issue',586,17,''),(10584,'Issue',586,7,''),(10585,'Issue',586,3,'It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.'),(10586,'Issue',586,4,''),(10587,'Issue',586,5,'_False Positives_\nrpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10588,'Issue',586,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND NOT _exists_:process.command_line AND process.executable.keyword:*\\\\svchost.exe) AND (NOT (process.parent.executable.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))\nindex: so-*\nname: Suspect Svchost Activity\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10589,'Issue',586,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspect Svchost Activity\nid: 16c37b52-b141-42a5-a3ea-bbe098444397\nstatus: experimental\ndescription: It is extremely abnormal for svchost.exe to spawn without any CLI arguments\n  and is normally observed when a malicious process spawns the process and injects\n  code into the process memory space.\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1055\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    CommandLine:\n  selection2:\n    Image: \'*\\svchost.exe\'\n  filter:\n    ParentImage:\n    - \'*\\rpcnet.exe\'\n    - \'*\\rpcnetp.exe\'\n  condition: (selection1 and selection2) and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\nlevel: critical\n\n
\n}}'),(10590,'Issue',586,15,'T1055'),(10591,'Issue',587,1,'Sysprep on AppData Folder'),(10592,'Issue',587,2,'Florian Roth'),(10593,'Issue',587,8,'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\nhttps://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b'),(10594,'Issue',587,10,'medium'),(10595,'Issue',587,13,'community'),(10596,'Issue',587,14,'windows'),(10597,'Issue',587,15,''),(10598,'Issue',587,11,'ec7672eaa'),(10599,'Issue',587,12,'d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e'),(10600,'Issue',587,16,'win-proc'),(10601,'Issue',587,17,''),(10602,'Issue',587,7,''),(10603,'Issue',587,3,'Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)'),(10604,'Issue',587,4,''),(10605,'Issue',587,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10606,'Issue',587,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\sysprep.exe\\ *\\\\AppData\\\\* OR sysprep.exe\\ *\\\\AppData\\\\*))\nindex: so-*\nname: Sysprep on AppData Folder\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10607,'Issue',587,9,'{{collapse(View Sigma)\n
\n\ntitle: Sysprep on AppData Folder\nid: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e\nstatus: experimental\ndescription: Detects suspicious sysprep process start with AppData folder as target\n  (as used by Trojan Syndicasec in Thrip report by Symantec)\nreferences:\n- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\n- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b\ntags:\n- attack.execution\nauthor: Florian Roth\ndate: 2018/06/22\nmodified: 2018/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - \'*\\sysprep.exe *\\AppData\\\\*\'\n    - sysprep.exe *\\AppData\\\\*\n  condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n  environment\nlevel: medium\n\n
\n}}'),(10608,'Issue',588,1,'Suspicious SYSVOL Domain Group Policy Access'),(10609,'Issue',588,2,'Markus Neis'),(10610,'Issue',588,8,'https://adsecurity.org/?p=2288\nhttps://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100'),(10611,'Issue',588,10,'medium'),(10612,'Issue',588,13,'community'),(10613,'Issue',588,14,'windows'),(10615,'Issue',588,11,'3587e5ee1'),(10616,'Issue',588,12,'05f3c945-dcc8-4393-9f3d-af65077a8f86'),(10617,'Issue',588,16,'win-proc'),(10618,'Issue',588,17,''),(10619,'Issue',588,7,''),(10620,'Issue',588,3,'Detects Access to Domain Group Policies stored in SYSVOL'),(10621,'Issue',588,4,''),(10622,'Issue',588,5,'_False Positives_\nadministrative activity'),(10623,'Issue',588,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*)\nindex: so-*\nname: Suspicious SYSVOL Domain Group Policy Access\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10624,'Issue',588,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious SYSVOL Domain Group Policy Access\nid: 05f3c945-dcc8-4393-9f3d-af65077a8f86\nstatus: experimental\ndescription: Detects Access to Domain Group Policies stored in SYSVOL\nreferences:\n- https://adsecurity.org/?p=2288\n- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100\nauthor: Markus Neis\ndate: 2018/04/09\nmodified: 2018/12/11\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*\\SYSVOL\\\\*\\policies\\\\*\'\n  condition: selection\nfalsepositives:\n- administrative activity\nlevel: medium\n\n
\n}}'),(10625,'Issue',588,15,'T1003'),(10626,'Issue',589,1,'Taskmgr as LOCAL_SYSTEM'),(10627,'Issue',589,2,'Florian Roth'),(10628,'Issue',589,8,'none'),(10629,'Issue',589,10,'high'),(10630,'Issue',589,13,'community'),(10631,'Issue',589,14,'windows'),(10633,'Issue',589,11,'6bcf5f333'),(10634,'Issue',589,12,'9fff585c-c33e-4a86-b3cd-39312079a65f'),(10635,'Issue',589,16,'win-proc'),(10636,'Issue',589,17,''),(10637,'Issue',589,7,''),(10638,'Issue',589,3,'Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM'),(10639,'Issue',589,4,''),(10640,'Issue',589,5,'_False Positives_\nUnkown'),(10641,'Issue',589,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\taskmgr.exe)\nindex: so-*\nname: Taskmgr as LOCAL_SYSTEM\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10642,'Issue',589,9,'{{collapse(View Sigma)\n
\n\ntitle: Taskmgr as LOCAL_SYSTEM\nid: 9fff585c-c33e-4a86-b3cd-39312079a65f\nstatus: experimental\ndescription: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/18\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image: \'*\\taskmgr.exe\'\n  condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(10643,'Issue',589,15,'T1036'),(10644,'Issue',590,1,'Taskmgr as Parent'),(10645,'Issue',590,2,'Florian Roth'),(10646,'Issue',590,8,'none'),(10647,'Issue',590,10,'low'),(10648,'Issue',590,13,'community'),(10649,'Issue',590,14,'windows'),(10651,'Issue',590,11,'0181905d0'),(10652,'Issue',590,12,'3d7679bd-0c00-440c-97b0-3f204273e6c7'),(10653,'Issue',590,16,'win-proc'),(10654,'Issue',590,17,''),(10655,'Issue',590,7,''),(10656,'Issue',590,3,'Detects the creation of a process from Windows task manager'),(10657,'Issue',590,4,''),(10658,'Issue',590,5,'_False Positives_\nAdministrative activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nParentCommandLine'),(10659,'Issue',590,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\taskmgr.exe AND (NOT (process.executable.keyword:(*\\\\resmon.exe OR *\\\\mmc.exe OR *\\\\taskmgr.exe))))\nindex: so-*\nname: Taskmgr as Parent\npriority: 4\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10660,'Issue',590,9,'{{collapse(View Sigma)\n
\n\ntitle: Taskmgr as Parent\nid: 3d7679bd-0c00-440c-97b0-3f204273e6c7\nstatus: experimental\ndescription: Detects the creation of a process from Windows task manager\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/13\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\taskmgr.exe\'\n  filter:\n    Image:\n    - \'*\\resmon.exe\'\n    - \'*\\mmc.exe\'\n    - \'*\\taskmgr.exe\'\n  condition: selection and not filter\nfields:\n- Image\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(10661,'Issue',590,15,'T1036'),(10662,'Issue',591,1,'Suspicious TSCON Start'),(10663,'Issue',591,2,'Florian Roth'),(10664,'Issue',591,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10665,'Issue',591,10,'high'),(10666,'Issue',591,13,'community'),(10667,'Issue',591,14,'windows'),(10669,'Issue',591,11,'884abbf53'),(10670,'Issue',591,12,'9847f263-4a81-424f-970c-875dab15b79b'),(10671,'Issue',591,16,'win-proc'),(10672,'Issue',591,17,''),(10673,'Issue',591,7,''),(10674,'Issue',591,3,'Detects a tscon.exe start as LOCAL SYSTEM'),(10675,'Issue',591,4,''),(10676,'Issue',591,5,'_False Positives_\nUnknown'),(10677,'Issue',591,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\tscon.exe)\nindex: so-*\nname: Suspicious TSCON Start\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10678,'Issue',591,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious TSCON Start\nid: 9847f263-4a81-424f-970c-875dab15b79b\nstatus: experimental\ndescription: Detects a tscon.exe start as LOCAL SYSTEM\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\nauthor: Florian Roth\ndate: 2018/03/17\ntags:\n- attack.command_and_control\n- attack.t1219\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image: \'*\\tscon.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10679,'Issue',591,15,'T1219'),(10680,'Issue',592,1,'Suspicious RDP Redirect Using TSCON'),(10681,'Issue',592,2,'Florian Roth'),(10682,'Issue',592,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10683,'Issue',592,10,'high'),(10684,'Issue',592,13,'community'),(10685,'Issue',592,14,'windows'),(10687,'Issue',592,11,'0ad8fd2d6'),(10688,'Issue',592,12,'f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb'),(10689,'Issue',592,16,'win-proc'),(10690,'Issue',592,17,''),(10691,'Issue',592,7,''),(10692,'Issue',592,3,'Detects a suspicious RDP session redirect using tscon.exe'),(10693,'Issue',592,4,''),(10694,'Issue',592,5,'_False Positives_\nUnknown'),(10695,'Issue',592,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/dest\\:rdp\\-tcp\\:*)\nindex: so-*\nname: Suspicious RDP Redirect Using TSCON\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10696,'Issue',592,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious RDP Redirect Using TSCON\nid: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb\nstatus: experimental\ndescription: Detects a suspicious RDP session redirect using tscon.exe\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\ntags:\n- attack.lateral_movement\n- attack.privilege_escalation\n- attack.t1076\n- car.2013-07-002\nauthor: Florian Roth\ndate: 2018/03/17\nmodified: 2018/12/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'* /dest:rdp-tcp:*\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10697,'Issue',592,15,'T1076'),(10698,'Issue',593,1,'Suspicious Use of CSharp Interactive Console'),(10699,'Issue',593,2,'Michael R. (@nahamike01)'),(10700,'Issue',593,8,'https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/'),(10701,'Issue',593,10,'high'),(10702,'Issue',593,13,'community'),(10703,'Issue',593,14,'windows'),(10705,'Issue',593,11,'b2533edff'),(10706,'Issue',593,12,'a9e416a8-e613-4f8b-88b8-a7d1d1af2f61'),(10707,'Issue',593,16,'win-proc'),(10708,'Issue',593,17,''),(10709,'Issue',593,7,''),(10710,'Issue',593,3,'Detects the execution of CSharp interactive console by PowerShell'),(10711,'Issue',593,4,''),(10712,'Issue',593,5,'_False Positives_\nPossible depending on environment. Pair with other factors such as net connections, command-line args, etc.'),(10713,'Issue',593,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csi.exe AND process.parent.executable.keyword:*\\\\powershell.exe AND OriginalFileName:\"csi.exe\")\nindex: so-*\nname: Suspicious Use of CSharp Interactive Console\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10714,'Issue',593,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Use of CSharp Interactive Console\nid: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61\nstatus: experimental\ndescription: Detects the execution of CSharp interactive console by PowerShell\nreferences:\n- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/\nauthor: Michael R. (@nahamike01)\ndate: 2020/03/08\ntags:\n- attack.execution\n- attack.t1127\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\csi.exe\n    ParentImage|endswith: \\powershell.exe\n    OriginalFileName: csi.exe\n  condition: selection\nfalsepositives:\n- Possible depending on environment. Pair with other factors such as net connections,\n  command-line args, etc.\nlevel: high\n\n
\n}}'),(10715,'Issue',593,15,'T1127'),(10716,'Issue',594,1,'Suspicious Userinit Child Process'),(10717,'Issue',594,2,'Florian Roth (rule), Samir Bousseaden (idea)'),(10718,'Issue',594,8,'https://twitter.com/SBousseaden/status/1139811587760562176'),(10719,'Issue',594,10,'medium'),(10720,'Issue',594,13,'community'),(10721,'Issue',594,14,'windows'),(10722,'Issue',594,15,''),(10723,'Issue',594,11,'afd4cadf2'),(10724,'Issue',594,12,'b655a06a-31c0-477a-95c2-3726b83d649d'),(10725,'Issue',594,16,'win-proc'),(10726,'Issue',594,17,''),(10727,'Issue',594,7,''),(10728,'Issue',594,3,'Detects a suspicious child process of userinit'),(10729,'Issue',594,4,''),(10730,'Issue',594,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10731,'Issue',594,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\userinit.exe AND (NOT (process.command_line.keyword:*\\\\netlogon\\\\*))) AND (NOT (process.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Suspicious Userinit Child Process\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10732,'Issue',594,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious Userinit Child Process\nid: b655a06a-31c0-477a-95c2-3726b83d649d\nstatus: experimental\ndescription: Detects a suspicious child process of userinit\nreferences:\n- https://twitter.com/SBousseaden/status/1139811587760562176\nauthor: Florian Roth (rule), Samir Bousseaden (idea)\ndate: 2019/06/17\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage: \'*\\userinit.exe\'\n  filter1:\n    CommandLine: \'*\\\\netlogon\\\\*\'\n  filter2:\n    Image: \'*\\explorer.exe\'\n  condition: selection and not filter1 and not filter2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10733,'Issue',595,1,'Whoami Execution'),(10734,'Issue',595,2,'Florian Roth'),(10735,'Issue',595,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(10736,'Issue',595,10,'high'),(10737,'Issue',595,13,'community'),(10738,'Issue',595,14,'windows'),(10740,'Issue',595,11,'28ff9a2dc'),(10741,'Issue',595,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(10742,'Issue',595,16,'win-proc'),(10743,'Issue',595,17,''),(10744,'Issue',595,7,''),(10745,'Issue',595,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(10746,'Issue',595,4,''),(10747,'Issue',595,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(10748,'Issue',595,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10749,'Issue',595,9,'{{collapse(View Sigma)\n
\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n  exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\whoami.exe\'\n  selection2:\n    OriginalFileName: whoami.exe\n  condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(10750,'Issue',595,15,'T1033'),(10751,'Issue',596,1,'Suspicious WMI Execution'),(10752,'Issue',596,2,'Michael Haag, Florian Roth, juju4'),(10753,'Issue',596,8,'https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\nhttps://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/'),(10754,'Issue',596,10,'medium'),(10755,'Issue',596,13,'community'),(10756,'Issue',596,14,'windows'),(10758,'Issue',596,11,'c641d0d76'),(10759,'Issue',596,12,'526be59f-a573-4eea-b5f7-f0973207634d'),(10760,'Issue',596,16,'win-proc'),(10761,'Issue',596,17,''),(10762,'Issue',596,7,''),(10763,'Issue',596,3,'Detects WMI executing suspicious commands'),(10764,'Issue',596,4,''),(10765,'Issue',596,5,'_False Positives_\nWill need to be tuned\nIf using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10766,'Issue',596,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))\nindex: so-*\nname: Suspicious WMI Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10767,'Issue',596,9,'{{collapse(View Sigma)\n
\n\ntitle: Suspicious WMI Execution\nid: 526be59f-a573-4eea-b5f7-f0973207634d\nstatus: experimental\ndescription: Detects WMI executing suspicious commands\nreferences:\n- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\n- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\n- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\nauthor: Michael Haag, Florian Roth, juju4\ndate: 2019/01/16\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\wmic.exe\'\n    CommandLine:\n    - \'*/NODE:*process call create *\'\n    - \'* path AntiVirusProduct get *\'\n    - \'* path FirewallProduct get *\'\n    - \'* shadowcopy delete *\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.t1047\n- car.2016-03-002\nfalsepositives:\n- Will need to be tuned\n- If using Splunk, I recommend | stats count by Computer,CommandLine following for\n  easy hunting by Computer/CommandLine.\nlevel: medium\n\n
\n}}'),(10768,'Issue',596,15,'T1047'),(10769,'Issue',597,1,'Sysmon Driver Unload'),(10770,'Issue',597,2,'Kirill Kiryanov, oscd.community'),(10771,'Issue',597,8,'https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon'),(10772,'Issue',597,10,'high'),(10773,'Issue',597,13,'community'),(10774,'Issue',597,14,'windows'),(10775,'Issue',597,15,''),(10776,'Issue',597,11,'d7439c16c'),(10777,'Issue',597,12,'4d7cda18-1b12-4e52-b45c-d28653210df8'),(10778,'Issue',597,16,'win-proc'),(10779,'Issue',597,17,''),(10780,'Issue',597,7,''),(10781,'Issue',597,3,'Detect possible Sysmon driver unload'),(10782,'Issue',597,4,''),(10783,'Issue',597,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nDetails'),(10784,'Issue',597,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\fltmc.exe AND process.command_line.keyword:*unload* AND process.command_line.keyword:*sys*)\nindex: so-*\nname: Sysmon Driver Unload\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10785,'Issue',597,9,'{{collapse(View Sigma)\n
\n\ntitle: Sysmon Driver Unload\nid: 4d7cda18-1b12-4e52-b45c-d28653210df8\nstatus: experimental\nauthor: Kirill Kiryanov, oscd.community\ndescription: Detect possible Sysmon driver unload\ndate: 2019/10/23\nmodified: 2019/11/07\nreferences:\n- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    Image|endswith: \\fltmc.exe\n    CommandLine|contains|all:\n    - unload\n    - sys\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nfields:\n- CommandLine\n- Details\n\n
\n}}'),(10786,'Issue',598,1,'System File Execution Location Anomaly'),(10787,'Issue',598,2,'Florian Roth, Patrick Bareiss'),(10788,'Issue',598,8,'https://twitter.com/GelosSnake/status/934900723426439170'),(10789,'Issue',598,10,'high'),(10790,'Issue',598,13,'community'),(10791,'Issue',598,14,'windows'),(10793,'Issue',598,11,'c8ddca7b8'),(10794,'Issue',598,12,'e4a6b256-3e47-40fc-89d2-7a477edd6915'),(10795,'Issue',598,16,'win-proc'),(10796,'Issue',598,17,''),(10797,'Issue',598,7,''),(10798,'Issue',598,3,'Detects a Windows program executable started in a suspicious folder'),(10799,'Issue',598,4,''),(10800,'Issue',598,5,'_False Positives_\nExotic software\n\n_Interesting Log Fields_\nComputerName\nUser\nImage'),(10801,'Issue',598,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))\nindex: so-*\nname: System File Execution Location Anomaly\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10802,'Issue',598,9,'{{collapse(View Sigma)\n
\n\ntitle: System File Execution Location Anomaly\nid: e4a6b256-3e47-40fc-89d2-7a477edd6915\nstatus: experimental\ndescription: Detects a Windows program executable started in a suspicious folder\nreferences:\n- https://twitter.com/GelosSnake/status/934900723426439170\nauthor: Florian Roth, Patrick Bareiss\ndate: 2017/11/27\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image:\n    - \'*\\svchost.exe\'\n    - \'*\\rundll32.exe\'\n    - \'*\\services.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\regsvr32.exe\'\n    - \'*\\spoolsv.exe\'\n    - \'*\\lsass.exe\'\n    - \'*\\smss.exe\'\n    - \'*\\csrss.exe\'\n    - \'*\\conhost.exe\'\n    - \'*\\wininit.exe\'\n    - \'*\\lsm.exe\'\n    - \'*\\winlogon.exe\'\n    - \'*\\explorer.exe\'\n    - \'*\\taskhost.exe\'\n  filter:\n    Image:\n    - C:\\Windows\\System32\\\\*\n    - C:\\Windows\\system32\\\\*\n    - C:\\Windows\\SysWow64\\\\*\n    - C:\\Windows\\SysWOW64\\\\*\n    - C:\\Windows\\explorer.exe\n    - C:\\Windows\\winsxs\\\\*\n    - C:\\Windows\\WinSxS\\\\*\n    - \\SystemRoot\\System32\\\\*\n  condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\nfalsepositives:\n- Exotic software\nlevel: high\n\n
\n}}'),(10803,'Issue',598,15,'T1036'),(10804,'Issue',599,1,'Tap Installer Execution'),(10805,'Issue',599,2,'Daniil Yugoslavskiy, Ian Davis, oscd.community'),(10806,'Issue',599,8,'none'),(10807,'Issue',599,10,'medium'),(10808,'Issue',599,13,'community'),(10809,'Issue',599,14,'windows'),(10811,'Issue',599,11,'f0f415f09'),(10812,'Issue',599,12,'99793437-3e16-439b-be0f-078782cf953d'),(10813,'Issue',599,16,'win-proc'),(10814,'Issue',599,17,''),(10815,'Issue',599,7,''),(10816,'Issue',599,3,'Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques'),(10817,'Issue',599,4,''),(10818,'Issue',599,5,'_False Positives_\nLegitimate OpenVPN TAP insntallation'),(10819,'Issue',599,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\tapinstall.exe)\nindex: so-*\nname: Tap Installer Execution\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10820,'Issue',599,9,'{{collapse(View Sigma)\n
\n\ntitle: Tap Installer Execution\nid: 99793437-3e16-439b-be0f-078782cf953d\ndescription: Well-known TAP software installation. Possible preparation for data exfiltration\n  using tunneling techniques\nstatus: experimental\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1048\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\tapinstall.exe\n  condition: selection\nfalsepositives:\n- Legitimate OpenVPN TAP insntallation\nlevel: medium\n\n
\n}}'),(10821,'Issue',599,15,'T1048'),(10822,'Issue',600,1,'Tasks Folder Evasion'),(10823,'Issue',600,2,'Sreeman'),(10824,'Issue',600,8,'https://twitter.com/subTee/status/1216465628946563073\nhttps://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26'),(10825,'Issue',600,10,'high'),(10826,'Issue',600,13,'community'),(10827,'Issue',600,14,'windows'),(10829,'Issue',600,11,'0eb37ce7b'),(10830,'Issue',600,12,'cc4e02ba-9c06-48e2-b09e-2500cace9ae0'),(10831,'Issue',600,16,'win-proc'),(10832,'Issue',600,17,''),(10833,'Issue',600,7,''),(10834,'Issue',600,3,'The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr'),(10835,'Issue',600,4,''),(10836,'Issue',600,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentProcess\nCommandLine'),(10837,'Issue',600,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (process.command_line.keyword:(*echo\\ * OR *copy\\ * OR *type\\ * OR *file\\ createnew*) AND process.command_line.keyword:(*\\ C\\:\\\\Windows\\\\System32\\\\Tasks\\* OR *\\ C\\:\\\\Windows\\\\SysWow64\\\\Tasks\\*))\nindex: so-*\nname: Tasks Folder Evasion\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10838,'Issue',600,9,'{{collapse(View Sigma)\n
\n\ntitle: Tasks Folder Evasion\nid: cc4e02ba-9c06-48e2-b09e-2500cace9ae0\nstatus: experimental\ndescription: The Tasks folder in system32 and syswow64 are globally writable paths.\n  Adversaries can take advantage of this and load or influence any script hosts or\n  ANY .NET Application in Tasks to load and execute a custom assembly into cscript,\n  wscript, regsvr32, mshta, eventvwr\nreferences:\n- https://twitter.com/subTee/status/1216465628946563073\n- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26\ndate: 2020/01/13\nauthor: Sreeman\ntags:\n- attack.t1064\n- attack.t1211\n- attack.t1059\n- attack.defense_evasion\n- attack.persistence\nlogsource:\n  product: Windows\ndetection:\n  selection1:\n    CommandLine|contains:\n    - \'echo \'\n    - \'copy \'\n    - \'type \'\n    - file createnew\n  selection2:\n    CommandLine|contains:\n    - \' C:\\Windows\\System32\\Tasks\\\'\n    - \' C:\\Windows\\SysWow64\\Tasks\\\'\n  condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentProcess\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10839,'Issue',600,15,'T1064'),(10840,'Issue',600,15,'T1211'),(10841,'Issue',600,15,'T1059'),(10842,'Issue',601,1,'Terminal Service Process Spawn'),(10843,'Issue',601,2,'Florian Roth'),(10844,'Issue',601,8,'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/'),(10845,'Issue',601,10,'high'),(10846,'Issue',601,13,'community'),(10847,'Issue',601,14,'windows'),(10848,'Issue',601,15,''),(10849,'Issue',601,11,'b5e174d1b'),(10850,'Issue',601,12,'1012f107-b8f1-4271-af30-5aed2de89b39'),(10851,'Issue',601,16,'win-proc'),(10852,'Issue',601,17,''),(10853,'Issue',601,7,''),(10854,'Issue',601,3,'Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)'),(10855,'Issue',601,4,''),(10856,'Issue',601,5,'_False Positives_\nUnknown'),(10857,'Issue',601,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\svchost.exe*termsvcs AND (NOT (process.executable.keyword:*\\\\rdpclip.exe)))\nindex: so-*\nname: Terminal Service Process Spawn\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10858,'Issue',601,9,'{{collapse(View Sigma)\n
\n\ntitle: Terminal Service Process Spawn\nid: 1012f107-b8f1-4271-af30-5aed2de89b39\nstatus: experimental\ndescription: Detects a process spawned by the terminal service server process (this\n  could be an indicator for an exploitation of CVE-2019-0708)\nreferences:\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/\nauthor: Florian Roth\ndate: 2019/05/22\ntags:\n- car.2013-07-002\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection:\n    ParentCommandLine: \'*\\svchost.exe*termsvcs\'\n  filter:\n    Image: \'*\\rdpclip.exe\'\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10859,'Issue',602,1,'Domain Trust Discovery'),(10860,'Issue',602,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10861,'Issue',602,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\nhttps://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html'),(10862,'Issue',602,10,'medium'),(10863,'Issue',602,13,'community'),(10864,'Issue',602,14,'windows'),(10866,'Issue',602,11,'c1662fb6e'),(10867,'Issue',602,12,'3bad990e-4848-4a78-9530-b427d854aac0'),(10868,'Issue',602,16,'win-proc'),(10869,'Issue',602,17,''),(10870,'Issue',602,7,''),(10871,'Issue',602,3,'Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.'),(10872,'Issue',602,4,''),(10873,'Issue',602,5,'_False Positives_\nLegitimate use of the utilities by legitimate user for legitimate reason'),(10874,'Issue',602,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*) OR (process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*trustedDomain*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10875,'Issue',602,9,'{{collapse(View Sigma)\n
\n\ntitle: Domain Trust Discovery\nid: 3bad990e-4848-4a78-9530-b427d854aac0\ndescription: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery.\n  This technique is used by attackers to enumerate Active Directory trusts.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\n- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\nltest.exe\n    CommandLine|contains: domain_trusts\n  - Image|endswith: \\dsquery.exe\n    CommandLine|contains: trustedDomain\n  condition: selection\nfalsepositives:\n- Legitimate use of the utilities by legitimate user for legitimate reason\nlevel: medium\n\n
\n}}'),(10876,'Issue',602,15,'T1482'),(10877,'Issue',603,1,'Bypass UAC via CMSTP'),(10878,'Issue',603,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(10879,'Issue',603,8,'https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md'),(10880,'Issue',603,10,'high'),(10881,'Issue',603,13,'community'),(10882,'Issue',603,14,'windows'),(10884,'Issue',603,11,'7c2726c72'),(10885,'Issue',603,12,'e66779cc-383e-4224-a3a4-267eeb585c40'),(10886,'Issue',603,16,'win-proc'),(10887,'Issue',603,17,''),(10888,'Issue',603,7,''),(10889,'Issue',603,3,'Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).'),(10890,'Issue',603,4,''),(10891,'Issue',603,5,'_False Positives_\nLegitimate use of cmstp.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10892,'Issue',603,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmstp.exe AND process.command_line.keyword:(*\\/s* OR *\\/au*))\nindex: so-*\nname: Bypass UAC via CMSTP\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10893,'Issue',603,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via CMSTP\nid: e66779cc-383e-4224-a3a4-267eeb585c40\ndescription: Detect child processes of automatically elevated instances of Microsoft\n  Connection Manager Profile Installer (cmstp.exe).\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nmodified: 2019/11/11\ndate: 2019/10/24\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1191\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\cmstp.exe\n    CommandLine|contains:\n    - /s\n    - /au\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of cmstp.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10894,'Issue',603,15,'T1191'),(10895,'Issue',603,15,'T1088'),(10896,'Issue',604,1,'Bypass UAC via Fodhelper.exe'),(10897,'Issue',604,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10898,'Issue',604,8,'https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md'),(10899,'Issue',604,10,'high'),(10900,'Issue',604,13,'community'),(10901,'Issue',604,14,'windows'),(10903,'Issue',604,11,'b29738791'),(10904,'Issue',604,12,'7f741dcf-fc22-4759-87b4-9ae8376676a2'),(10905,'Issue',604,16,'win-proc'),(10906,'Issue',604,17,''),(10907,'Issue',604,7,''),(10908,'Issue',604,3,'Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10909,'Issue',604,4,''),(10910,'Issue',604,5,'_False Positives_\nLegitimate use of fodhelper.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10911,'Issue',604,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\fodhelper.exe)\nindex: so-*\nname: Bypass UAC via Fodhelper.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10912,'Issue',604,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via Fodhelper.exe\nid: 7f741dcf-fc22-4759-87b4-9ae8376676a2\ndescription: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries\n  use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\fodhelper.exe\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of fodhelper.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10913,'Issue',604,15,'T1088'),(10914,'Issue',605,1,'Bypass UAC via WSReset.exe'),(10915,'Issue',605,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10916,'Issue',605,8,'https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html'),(10917,'Issue',605,10,'high'),(10918,'Issue',605,13,'community'),(10919,'Issue',605,14,'windows'),(10921,'Issue',605,11,'88c9a0107'),(10922,'Issue',605,12,'d797268e-28a9-49a7-b9a8-2f5039011c5c'),(10923,'Issue',605,16,'win-proc'),(10924,'Issue',605,17,''),(10925,'Issue',605,7,''),(10926,'Issue',605,3,'Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10927,'Issue',605,4,''),(10928,'Issue',605,5,'_False Positives_\nUnknown'),(10929,'Issue',605,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\wsreset.exe AND (NOT (process.executable.keyword:*\\\\conhost.exe)))\nindex: so-*\nname: Bypass UAC via WSReset.exe\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10930,'Issue',605,9,'{{collapse(View Sigma)\n
\n\ntitle: Bypass UAC via WSReset.exe\nid: d797268e-28a9-49a7-b9a8-2f5039011c5c\ndescription: Identifies use of WSReset.exe to bypass User Account Control. Adversaries\n  use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\wsreset.exe\n  filter:\n    Image|endswith: \\conhost.exe\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10931,'Issue',605,15,'T1088'),(10932,'Issue',606,1,'Possible Privilege Escalation via Weak Service Permissions'),(10933,'Issue',606,2,'Teymur Kheirkhabarov'),(10934,'Issue',606,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/30/weak-service-permissions/'),(10935,'Issue',606,10,'high'),(10936,'Issue',606,13,'community'),(10937,'Issue',606,14,'windows'),(10939,'Issue',606,11,'20df1ec32'),(10940,'Issue',606,12,'d937b75f-a665-4480-88a5-2f20e9f9b22a'),(10941,'Issue',606,16,'win-proc'),(10942,'Issue',606,17,''),(10943,'Issue',606,7,''),(10944,'Issue',606,3,'Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand'),(10945,'Issue',606,4,''),(10946,'Issue',606,5,'_False Positives_\nUnknown'),(10947,'Issue',606,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND IntegrityLevel:\"Medium\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.command_line.keyword:*config* AND process.command_line.keyword:*binPath*) OR (process.command_line.keyword:*failure* AND process.command_line.keyword:*command*)))\nindex: so-*\nname: Possible Privilege Escalation via Weak Service Permissions\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10948,'Issue',606,9,'{{collapse(View Sigma)\n
\n\ntitle: Possible Privilege Escalation via Weak Service Permissions\nid: d937b75f-a665-4480-88a5-2f20e9f9b22a\ndescription: Detection of sc.exe utility spawning by user with Medium integrity level\n  to change service ImagePath or FailureCommand\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/30/weak-service-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  scbynonadmin:\n    Image|endswith: \\sc.exe\n    IntegrityLevel: Medium\n  binpath:\n    CommandLine|contains|all:\n    - config\n    - binPath\n  failurecommand:\n    CommandLine|contains|all:\n    - failure\n    - command\n  condition: scbynonadmin and (binpath or failurecommand)\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10949,'Issue',606,15,'T1134'),(10950,'Issue',607,1,'Java Running with Remote Debugging'),(10951,'Issue',607,2,'Florian Roth'),(10952,'Issue',607,8,'none'),(10953,'Issue',607,10,'medium'),(10954,'Issue',607,13,'community'),(10955,'Issue',607,14,'windows'),(10957,'Issue',607,11,'b24838b11'),(10958,'Issue',607,12,'8f88e3f6-2a49-48f5-a5c4-2f7eedf78710'),(10959,'Issue',607,16,'win-proc'),(10960,'Issue',607,17,''),(10961,'Issue',607,7,''),(10962,'Issue',607,3,'Detects a JAVA process running with remote debugging allowing more than just localhost to connect'),(10963,'Issue',607,4,''),(10964,'Issue',607,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10965,'Issue',607,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*transport\\=dt_socket,address\\=* AND (NOT (process.command_line.keyword:*address\\=127.0.0.1* OR process.command_line.keyword:*address\\=localhost*)))\nindex: so-*\nname: Java Running with Remote Debugging\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10966,'Issue',607,9,'{{collapse(View Sigma)\n
\n\ntitle: Java Running with Remote Debugging\nid: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710\ndescription: Detects a JAVA process running with remote debugging allowing more than\n  just localhost to connect\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine: \'*transport=dt_socket,address=*\'\n  exclusion:\n  - CommandLine: \'*address=127.0.0.1*\'\n  - CommandLine: \'*address=localhost*\'\n  condition: selection and not exclusion\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(10967,'Issue',607,15,'T1046'),(10968,'Issue',608,1,'Webshell Detection With Command Line Keywords'),(10969,'Issue',608,2,'Florian Roth'),(10970,'Issue',608,8,'none'),(10971,'Issue',608,10,'high'),(10972,'Issue',608,13,'community'),(10973,'Issue',608,14,'windows'),(10975,'Issue',608,11,'8d70dcff6'),(10976,'Issue',608,12,'bed2a484-9348-4143-8a8a-b801c979301c'),(10977,'Issue',608,16,'win-proc'),(10978,'Issue',608,17,''),(10979,'Issue',608,7,''),(10980,'Issue',608,3,'Detects certain command line parameters often used during reconnaissance activity via web shells'),(10981,'Issue',608,4,''),(10982,'Issue',608,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10983,'Issue',608,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND process.command_line.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))\nindex: so-*\nname: Webshell Detection With Command Line Keywords\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(10984,'Issue',608,9,'{{collapse(View Sigma)\n
\n\ntitle: Webshell Detection With Command Line Keywords\nid: bed2a484-9348-4143-8a8a-b801c979301c\ndescription: Detects certain command line parameters often used during reconnaissance\n  activity via web shells\nauthor: Florian Roth\nreference:\n- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\ndate: 2017/01/01\nmodified: 2019/10/26\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\apache*\'\n    - \'*\\tomcat*\'\n    - \'*\\w3wp.exe\'\n    - \'*\\php-cgi.exe\'\n    - \'*\\nginx.exe\'\n    - \'*\\httpd.exe\'\n    CommandLine:\n    - \'*whoami*\'\n    - \'*net user *\'\n    - \'*ping -n *\'\n    - \'*systeminfo\'\n    - \'*&cd&echo*\'\n    - \'*cd /d*\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10985,'Issue',608,15,'T1100'),(10986,'Issue',609,1,'Shells Spawned by Web Servers'),(10987,'Issue',609,2,'Thomas Patzke'),(10988,'Issue',609,8,'none'),(10989,'Issue',609,10,'high'),(10990,'Issue',609,13,'community'),(10991,'Issue',609,14,'windows'),(10993,'Issue',609,11,'f05538a42'),(10994,'Issue',609,12,'8202070f-edeb-4d31-a010-a26c72ac5600'),(10995,'Issue',609,16,'win-proc'),(10996,'Issue',609,17,''),(10997,'Issue',609,7,''),(10998,'Issue',609,3,'Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack'),(10999,'Issue',609,4,''),(11000,'Issue',609,5,'_False Positives_\nParticular web applications may spawn a shell process legitimately\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11001,'Issue',609,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Shells Spawned by Web Servers\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11002,'Issue',609,9,'{{collapse(View Sigma)\n
\n\ntitle: Shells Spawned by Web Servers\nid: 8202070f-edeb-4d31-a010-a26c72ac5600\nstatus: experimental\ndescription: Web servers that spawn shell processes could be the result of a successfully\n  placed web shell or an other attack\nauthor: Thomas Patzke\ndate: 2019/01/16\nmodified: 2020/03/25\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\w3wp.exe\'\n    - \'*\\httpd.exe\'\n    - \'*\\nginx.exe\'\n    - \'*\\php-cgi.exe\'\n    - \'*\\tomcat.exe\'\n    Image:\n    - \'*\\cmd.exe\'\n    - \'*\\sh.exe\'\n    - \'*\\bash.exe\'\n    - \'*\\powershell.exe\'\n    - \'*\\bitsadmin.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nfalsepositives:\n- Particular web applications may spawn a shell process legitimately\nlevel: high\n\n
\n}}'),(11003,'Issue',609,15,'T1100'),(11004,'Issue',610,1,'Run Whoami as SYSTEM'),(11005,'Issue',610,2,'Teymur Kheirkhabarov'),(11006,'Issue',610,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(11007,'Issue',610,10,'high'),(11008,'Issue',610,13,'community'),(11009,'Issue',610,14,'windows'),(11011,'Issue',610,11,'4e41dd00b'),(11012,'Issue',610,12,'80167ada-7a12-41ed-b8e9-aa47195c66a1'),(11013,'Issue',610,16,'win-proc'),(11014,'Issue',610,17,''),(11015,'Issue',610,7,''),(11016,'Issue',610,3,'Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.'),(11017,'Issue',610,4,''),(11018,'Issue',610,5,'_False Positives_\nUnknown'),(11019,'Issue',610,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\whoami.exe)\nindex: so-*\nname: Run Whoami as SYSTEM\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11020,'Issue',610,9,'{{collapse(View Sigma)\n
\n\ntitle: Run Whoami as SYSTEM\nid: 80167ada-7a12-41ed-b8e9-aa47195c66a1\nstatus: experimental\ndescription: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of\n  a successful local privilege escalation.\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/23\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.privilege_escalation\n- attack.t1033\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    User: NT AUTHORITY\\SYSTEM\n    Image|endswith: \\whoami.exe\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(11021,'Issue',610,15,'T1033'),(11022,'Issue',611,1,'Windows 10 Scheduled Task SandboxEscaper 0-day'),(11023,'Issue',611,2,'Olaf Hartong'),(11024,'Issue',611,8,'https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe'),(11025,'Issue',611,10,'high'),(11026,'Issue',611,13,'community'),(11027,'Issue',611,14,'windows'),(11029,'Issue',611,11,'3ff4919f0'),(11030,'Issue',611,12,'931b6802-d6a6-4267-9ffa-526f57f22aaf'),(11031,'Issue',611,16,'win-proc'),(11032,'Issue',611,17,''),(11033,'Issue',611,7,''),(11034,'Issue',611,3,'Detects Task Scheduler .job import arbitrary DACL write\\par'),(11035,'Issue',611,4,''),(11036,'Issue',611,5,'_False Positives_\nUnknown'),(11037,'Issue',611,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"schtasks.exe\" AND process.command_line.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)\nindex: so-*\nname: Windows 10 Scheduled Task SandboxEscaper 0-day\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11038,'Issue',611,9,'{{collapse(View Sigma)\n
\n\ntitle: Windows 10 Scheduled Task SandboxEscaper 0-day\nid: 931b6802-d6a6-4267-9ffa-526f57f22aaf\nstatus: experimental\ndescription: Detects Task Scheduler .job import arbitrary DACL write\\par\nreferences:\n- https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe\nauthor: Olaf Hartong\ndate: 2019/05/22\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: schtasks.exe\n    CommandLine: \'*/change*/TN*/RU*/RP*\'\n  condition: selection\nfalsepositives:\n- Unknown\ntags:\n- attack.privilege_escalation\n- attack.execution\n- attack.t1053\n- car.2013-08-001\nlevel: high\n\n
\n}}'),(11039,'Issue',611,15,'T1053'),(11040,'Issue',612,1,'WMI Backdoor Exchange Transport Agent'),(11041,'Issue',612,2,'Florian Roth'),(11042,'Issue',612,8,'https://twitter.com/cglyer/status/1182389676876980224\nhttps://twitter.com/cglyer/status/1182391019633029120'),(11043,'Issue',612,10,'critical'),(11044,'Issue',612,13,'community'),(11045,'Issue',612,14,'windows'),(11047,'Issue',612,11,'a650229e3'),(11048,'Issue',612,12,'797011dc-44f4-4e6f-9f10-a8ceefbe566b'),(11049,'Issue',612,16,'win-proc'),(11050,'Issue',612,17,''),(11051,'Issue',612,7,''),(11052,'Issue',612,3,'Detects a WMi backdoor in Exchange Transport Agents via WMi event filters'),(11053,'Issue',612,4,''),(11054,'Issue',612,5,'_False Positives_\nUnknown'),(11055,'Issue',612,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EdgeTransport.exe)\nindex: so-*\nname: WMI Backdoor Exchange Transport Agent\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11056,'Issue',612,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Backdoor Exchange Transport Agent\nid: 797011dc-44f4-4e6f-9f10-a8ceefbe566b\nstatus: experimental\ndescription: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters\nauthor: Florian Roth\ndate: 2019/10/11\nreferences:\n- https://twitter.com/cglyer/status/1182389676876980224\n- https://twitter.com/cglyer/status/1182391019633029120\nlogsource:\n  category: process_creation\n  product: windows\ntags:\n- attack.persistence\n- attack.t1084\ndetection:\n  selection:\n    ParentImage: \'*\\EdgeTransport.exe\'\n  condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11057,'Issue',612,15,'T1084'),(11058,'Issue',613,1,'WMI Persistence - Script Event Consumer'),(11059,'Issue',613,2,'Thomas Patzke'),(11060,'Issue',613,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(11061,'Issue',613,10,'high'),(11062,'Issue',613,13,'community'),(11063,'Issue',613,14,'windows'),(11065,'Issue',613,11,'8e6b7ecfd'),(11066,'Issue',613,12,'ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e'),(11067,'Issue',613,16,'win-proc'),(11068,'Issue',613,17,''),(11069,'Issue',613,7,''),(11070,'Issue',613,3,'Detects WMI script event consumers'),(11071,'Issue',613,4,''),(11072,'Issue',613,5,'_False Positives_\nLegitimate event consumers'),(11073,'Issue',613,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\" AND process.parent.executable:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11074,'Issue',613,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Persistence - Script Event Consumer\nid: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e\nstatus: experimental\ndescription: Detects WMI script event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.execution\n- attack.persistence\n- attack.t1047\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n    ParentImage: C:\\Windows\\System32\\svchost.exe\n  condition: selection\nfalsepositives:\n- Legitimate event consumers\nlevel: high\n\n
\n}}'),(11075,'Issue',613,15,'T1047'),(11076,'Issue',614,1,'WMI Spawning Windows PowerShell'),(11077,'Issue',614,2,'Markus Neis / @Karneades'),(11078,'Issue',614,8,'https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\nhttps://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e'),(11079,'Issue',614,10,'high'),(11080,'Issue',614,13,'community'),(11081,'Issue',614,14,'windows'),(11083,'Issue',614,11,'127d6cb16'),(11084,'Issue',614,12,'692f0bec-83ba-4d04-af7e-e884a96059b6'),(11085,'Issue',614,16,'win-proc'),(11086,'Issue',614,17,''),(11087,'Issue',614,7,''),(11088,'Issue',614,3,'Detects WMI spawning PowerShell'),(11089,'Issue',614,4,''),(11090,'Issue',614,5,'_False Positives_\nAppvClient\nCCM'),(11091,'Issue',614,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\powershell.exe))\nindex: so-*\nname: WMI Spawning Windows PowerShell\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11092,'Issue',614,9,'{{collapse(View Sigma)\n
\n\ntitle: WMI Spawning Windows PowerShell\nid: 692f0bec-83ba-4d04-af7e-e884a96059b6\nstatus: experimental\ndescription: Detects WMI spawning PowerShell\nreferences:\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\n- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e\nauthor: Markus Neis / @Karneades\ndate: 2019/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage:\n    - \'*\\wmiprvse.exe\'\n    Image:\n    - \'*\\powershell.exe\'\n  condition: selection\nfalsepositives:\n- AppvClient\n- CCM\nlevel: high\n\n
\n}}'),(11093,'Issue',614,15,'T1064'),(11094,'Issue',615,1,'Wmiprvse Spawning Process'),(11095,'Issue',615,2,'Roberto Rodriguez @Cyb3rWard0g'),(11096,'Issue',615,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md'),(11097,'Issue',615,10,'critical'),(11098,'Issue',615,13,'community'),(11099,'Issue',615,14,'windows'),(11101,'Issue',615,11,'eab53c8fb'),(11102,'Issue',615,12,'d21374ff-f574-44a7-9998-4a8c8bf33d7d'),(11103,'Issue',615,16,'win-proc'),(11104,'Issue',615,17,''),(11105,'Issue',615,7,''),(11106,'Issue',615,3,'Detects wmiprvse spawning processes'),(11107,'Issue',615,4,''),(11108,'Issue',615,5,'_False Positives_\nUnknown'),(11109,'Issue',615,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WmiPrvSe.exe AND (NOT (LogonId:\"0x3e7\" OR Username:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Wmiprvse Spawning Process\npriority: 1\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11110,'Issue',615,9,'{{collapse(View Sigma)\n
\n\ntitle: Wmiprvse Spawning Process\nid: d21374ff-f574-44a7-9998-4a8c8bf33d7d\ndescription: Detects wmiprvse spawning processes\nstatus: experimental\ndate: 2019/08/15\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \\WmiPrvSe.exe\n  filter:\n  - LogonId: \'0x3e7\'\n  - Username: NT AUTHORITY\\SYSTEM\n  condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11111,'Issue',615,15,'T1047'),(11112,'Issue',616,1,'Microsoft Workflow Compiler'),(11113,'Issue',616,2,'Nik Seetharaman'),(11114,'Issue',616,8,'https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb'),(11115,'Issue',616,10,'high'),(11116,'Issue',616,13,'community'),(11117,'Issue',616,14,'windows'),(11119,'Issue',616,11,'b7e329a1b'),(11120,'Issue',616,12,'419dbf2b-8a9b-4bea-bf99-7544b050ec8d'),(11121,'Issue',616,16,'win-proc'),(11122,'Issue',616,17,''),(11123,'Issue',616,7,''),(11124,'Issue',616,3,'Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.'),(11125,'Issue',616,4,''),(11126,'Issue',616,5,'_False Positives_\nLegitimate MWC use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11127,'Issue',616,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Microsoft.Workflow.Compiler.exe)\nindex: so-*\nname: Microsoft Workflow Compiler\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11128,'Issue',616,9,'{{collapse(View Sigma)\n
\n\ntitle: Microsoft Workflow Compiler\nid: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d\nstatus: experimental\ndescription: Detects invocation of Microsoft Workflow Compiler, which may permit the\n  execution of arbitrary unsigned code.\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1127\nauthor: Nik Seetharaman\ndate: 2019/01/16\nreferences:\n- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\Microsoft.Workflow.Compiler.exe\'\n  condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate MWC use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(11129,'Issue',616,15,'T1127'),(11130,'Issue',617,1,'Wsreset UAC Bypass'),(11131,'Issue',617,2,'Florian Roth'),(11132,'Issue',617,8,'https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\nhttps://www.activecyber.us/activelabs/windows-uac-bypass\nhttps://twitter.com/ReaQta/status/1222548288731217921'),(11133,'Issue',617,10,'high'),(11134,'Issue',617,13,'community'),(11135,'Issue',617,14,'windows'),(11137,'Issue',617,11,'a20c95e40'),(11138,'Issue',617,12,'bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae'),(11139,'Issue',617,16,'win-proc'),(11140,'Issue',617,17,''),(11141,'Issue',617,7,''),(11142,'Issue',617,3,'Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC'),(11143,'Issue',617,4,''),(11144,'Issue',617,5,'_False Positives_\nUnknown sub processes of Wsreset.exe\n\n_Interesting Log Fields_\nCommandLine'),(11145,'Issue',617,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WSreset.exe))\nindex: so-*\nname: Wsreset UAC Bypass\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11146,'Issue',617,9,'{{collapse(View Sigma)\n
\n\ntitle: Wsreset UAC Bypass\nid: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae\nstatus: experimental\ndescription: Detects a method that uses Wsreset.exe tool that can be used to reset\n  the Windows Store to bypass UAC\nreferences:\n- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\n- https://www.activecyber.us/activelabs/windows-uac-bypass\n- https://twitter.com/ReaQta/status/1222548288731217921\nauthor: Florian Roth\ndate: 2020/01/30\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1088\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith:\n    - \\WSreset.exe\n  condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- Unknown sub processes of Wsreset.exe\nlevel: high\n\n
\n}}'),(11147,'Issue',617,15,'T1088'),(11148,'Issue',618,1,'XSL Script Processing'),(11149,'Issue',618,2,'Timur Zinniatullin, oscd.community'),(11150,'Issue',618,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml'),(11151,'Issue',618,10,'medium'),(11152,'Issue',618,13,'community'),(11153,'Issue',618,14,'windows'),(11155,'Issue',618,11,'53788ea86'),(11156,'Issue',618,12,'05c36dd6-79d6-4a9a-97da-3db20298ab2d'),(11157,'Issue',618,16,'win-proc'),(11158,'Issue',618,17,''),(11159,'Issue',618,7,'gVP62XEBH72G5DlCexmq'),(11160,'Issue',618,3,'Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses'),(11161,'Issue',618,4,''),(11162,'Issue',618,5,'_False Positives_\nWMIC.exe FP depend on scripts and administrative methods used in the monitored environment\nmsxsl.exe is not installed by default so unlikely.'),(11163,'Issue',618,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\/format*) OR process.executable.keyword:*\\\\msxsl.exe))\nindex: so-*\nname: XSL Script Processing\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11164,'Issue',618,9,'{{collapse(View Sigma)\r\n
\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n  the processing and rendering of data within XML files, rule detects when adversaries\r\n  abuse this functionality to execute arbitrary files while potentially bypassing\r\n  application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n  - Image|endswith: \\wmic.exe\r\n    CommandLine|contains: /format\r\n  - Image|endswith: \\msxsl.exe\r\n  condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(11165,'Issue',618,15,'T1220'),(11184,'Issue',620,1,'New Sensitive Shared Resource'),(11185,'Issue',620,2,'Josh Brower'),(11186,'Issue',620,10,'medium'),(11187,'Issue',620,13,'imported'),(11188,'Issue',620,14,'osquery'),(11189,'Issue',620,8,'none'),(11191,'Issue',620,11,'8a0e88be7'),(11192,'Issue',620,12,'none'),(11193,'Issue',620,16,''),(11194,'Issue',620,17,''),(11195,'Issue',620,7,''),(11196,'Issue',620,3,'Network shares with loose access controls are common places that leak sensitive information. This play proactively looks for newly shared resources that likely contain sensitive data. Follow-up will be needed to confirm that appropriate access control is in place.'),(11197,'Issue',620,4,''),(11198,'Issue',620,5,'_False Positives_\nunknown'),(11199,'Issue',620,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((osquery.columns.qid:\"601\" AND osquery.columns.name.keyword:(*hr* OR *finance* OR *backup* OR *www* OR *scan*)) AND (NOT (osquery.result.counter:\"0\")))\nindex: so-osquery-*\nname: New Sensitive Shared Resource\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11200,'Issue',620,9,'{{collapse(View Sigma)\n
\n\ntitle: New Sensitive Shared Resource\ndescription: Network shares with loose access controls are common places that leak\n  sensitive information. This play proactively looks for newly shared resources that\n  likely contain sensitive data. Follow-up will be needed to confirm that appropriate\n  access control is in place.\nstatus: experimental\nauthor: Josh Brower\ntags:\n- attack.discovery\n- attack.t1135\nlogsource:\n  product: osquery\n  definition: select Description,Name,Path, \"601\" AS qid  from shared_resources where\n    type = 0 AND name <> \"print$\";\n  qid: 601\ndetection:\n  selection:\n    qid: 601\n    column_name:\n    - \'*hr*\'\n    - \'*finance*\'\n    - \'*backup*\'\n    - \'*www*\'\n    - \'*scan*\'\n  filter:\n    counter: 0\n  condition: selection and not filter\nfalsepositives:\n- unknown\nlevel: medium\ntasks:\n  1 - Check Share Permissions: Are share permissions set to an appropriate level?\n    They should be tied to the relevant AD Security Group.\n  2 - Contact System/Service Owner: If share permissions are not appropriate, contact\n    the system/service owner for remediation.\n\n
\n}}'),(11201,'Issue',620,15,'T1135'),(11202,'Issue',621,1,'Whoami Execution'),(11203,'Issue',621,2,'Florian Roth'),(11204,'Issue',621,10,'high'),(11205,'Issue',621,13,'imported'),(11206,'Issue',621,14,'windows'),(11207,'Issue',621,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(11209,'Issue',621,11,'b2904c00a'),(11210,'Issue',621,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(11211,'Issue',621,16,''),(11212,'Issue',621,17,''),(11213,'Issue',621,7,''),(11214,'Issue',621,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(11215,'Issue',621,4,''),(11216,'Issue',621,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(11217,'Issue',621,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11218,'Issue',621,9,'{{collapse(View Sigma)\n
\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n  exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image: \'*\\whoami.exe\'\n  selection2:\n    OriginalFileName: whoami.exe\n  condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(11219,'Issue',621,15,'T1033'),(11220,'Issue',622,1,'Advanced IP Scanner'),(11221,'Issue',622,2,'@ROxPinTeddy'),(11222,'Issue',622,10,'medium'),(11223,'Issue',622,13,'community'),(11224,'Issue',622,14,'windows'),(11225,'Issue',622,8,'https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html'),(11227,'Issue',622,11,'28e0c60a4'),(11228,'Issue',622,12,'bef37fa2-f205-4a7b-b484-0759bfd5f86f'),(11229,'Issue',622,16,'win-proc'),(11230,'Issue',622,17,''),(11231,'Issue',622,7,''),(11232,'Issue',622,3,'Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.'),(11233,'Issue',622,4,''),(11234,'Issue',622,5,'_False Positives_\nLegitimate administrative use'),(11235,'Issue',622,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\advanced_ip_scanner*)\nindex: so-*\nname: Advanced IP Scanner\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11236,'Issue',622,9,'{{collapse(View Sigma)\n
\n\ntitle: Advanced IP Scanner\nid: bef37fa2-f205-4a7b-b484-0759bfd5f86f\nstatus: experimental\ndescription: Detects the use of Advanced IP Scanner. Seems to be a popular tool for\n  ransomware groups.\nreferences:\n- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\n- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\nauthor: \'@ROxPinTeddy\'\ndate: 2020/05/12\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|contains: \\advanced_ip_scanner\n  condition: selection\nfalsepositives:\n- Legitimate administrative use\nlevel: medium\n\n
\n}}'),(11237,'Issue',622,15,'T1046'),(11238,'Issue',623,1,'Harvesting of Wifi Credentials Using netsh.exe'),(11239,'Issue',623,2,'Andreas Hunkeler (@Karneades)'),(11240,'Issue',623,10,'medium'),(11241,'Issue',623,13,'community'),(11242,'Issue',623,14,'windows'),(11243,'Issue',623,8,'https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/'),(11245,'Issue',623,11,'c7fcf9aee'),(11246,'Issue',623,12,'42b1a5b8-353f-4f10-b256-39de4467faff'),(11247,'Issue',623,16,'win-proc'),(11248,'Issue',623,17,''),(11249,'Issue',623,7,''),(11250,'Issue',623,3,'Detect the harvesting of wifi credentials using netsh.exe'),(11251,'Issue',623,4,''),(11252,'Issue',623,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe wlan functionality for legitimate reason'),(11253,'Issue',623,6,'{{collapse(View ElastAlert Config)\n
\n\nfilter:\n- query:\n    query_string:\n      query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ wlan\\ s*\\ p*\\ k*\\=clear))\nindex: so-*\nname: Harvesting of Wifi Credentials Using netsh.exe\npriority: 3\nrealert:\n  minutes: 0\ntype: any\n
\n}}'),(11254,'Issue',623,9,'{{collapse(View Sigma)\n
\n\ntitle: Harvesting of Wifi Credentials Using netsh.exe\nid: 42b1a5b8-353f-4f10-b256-39de4467faff\nstatus: experimental\ndescription: Detect the harvesting of wifi credentials using netsh.exe\nreferences:\n- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2020/04/20\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine:\n    - netsh wlan s* p* k*=clear\n  condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate\n  reason\nlevel: medium\n\n
\n}}'),(11255,'Issue',623,15,'T1040'); /*!40000 ALTER TABLE `custom_values` ENABLE KEYS */; UNLOCK TABLES; @@ -524,7 +523,7 @@ CREATE TABLE `email_addresses` ( LOCK TABLES `email_addresses` WRITE; /*!40000 ALTER TABLE `email_addresses` DISABLE KEYS */; -INSERT INTO `email_addresses` VALUES (1,1,'admin@example.net',1,1,'2020-04-26 13:08:38','2020-04-26 13:08:38'),(2,8,'analyst@localhost.local',1,1,'2020-04-26 18:46:48','2020-04-26 18:46:48'),(3,9,'automation@localhost.local',1,1,'2020-04-26 18:47:46','2020-04-26 18:47:46'); +INSERT INTO `email_addresses` VALUES (1,1,'admin@example.net',1,1,'2020-04-26 13:08:38','2020-04-26 13:08:38'),(3,9,'automation@localhost.local',1,1,'2020-04-26 18:47:46','2020-04-26 18:47:46'); /*!40000 ALTER TABLE `email_addresses` ENABLE KEYS */; UNLOCK TABLES; @@ -607,7 +606,7 @@ CREATE TABLE `groups_users` ( LOCK TABLES `groups_users` WRITE; /*!40000 ALTER TABLE `groups_users` DISABLE KEYS */; -INSERT INTO `groups_users` VALUES (5,8),(6,9),(7,1); +INSERT INTO `groups_users` VALUES (6,9),(7,1); /*!40000 ALTER TABLE `groups_users` ENABLE KEYS */; UNLOCK TABLES; @@ -798,7 +797,7 @@ CREATE TABLE `issues` ( KEY `index_issues_on_created_on` (`created_on`), KEY `index_issues_on_root_id_and_lft_and_rgt` (`root_id`,`lft`,`rgt`), KEY `index_issues_on_parent_id` (`parent_id`) -) ENGINE=InnoDB AUTO_INCREMENT=624 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -807,7 +806,6 @@ CREATE TABLE `issues` ( LOCK TABLES `issues` WRITE; /*!40000 ALTER TABLE `issues` DISABLE KEYS */; -INSERT INTO `issues` VALUES (313,1,1,'Executable in ADS',NULL,NULL,NULL,6,NULL,1,NULL,9,0,'2020-05-01 20:55:14','2020-05-01 20:55:14',NULL,0,NULL,NULL,313,1,2,0,NULL),(314,1,1,'Alternate PowerShell Hosts Module Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,314,1,2,0,NULL),(315,1,1,'Alternate PowerShell Hosts Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,315,1,2,0,NULL),(316,1,1,'OceanLotus Registry Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,316,1,2,0,NULL),(317,1,1,'Turla Group Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,317,1,2,0,NULL),(318,1,1,'Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,318,1,2,0,NULL),(319,1,1,'CACTUSTORCH Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,319,1,2,0,NULL),(320,1,1,'CobaltStrike Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:18','2020-05-01 20:55:18',NULL,0,NULL,NULL,320,1,2,0,NULL),(321,1,1,'CreateRemoteThread API and LoadLibrary',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:18','2020-05-01 20:55:19',NULL,0,NULL,NULL,321,1,2,0,NULL),(322,1,1,'Credentials Dumping Tools Accessing LSASS Memory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:19','2020-05-01 20:55:19',NULL,0,NULL,NULL,322,1,2,0,NULL),(323,1,1,'Cred Dump Tools Dropped Files',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,323,1,2,0,NULL),(324,1,1,'Cred Dump-Tools Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,324,1,2,0,NULL),(325,1,1,'DHCP Callout DLL Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,325,1,2,0,NULL),(326,1,1,'Disable Security Events Logging Adding Reg Key MiniNt',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,326,1,2,0,NULL),(327,1,1,'Detection of SafetyKatz',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,327,1,2,0,NULL),(328,1,1,'Suspicious In-Memory Module Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,328,1,2,0,NULL),(329,1,1,'In-memory PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:23','2020-05-01 20:55:23',NULL,0,NULL,NULL,329,1,2,0,NULL),(330,1,1,'Suspect Svchost Memory Asccess',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:23','2020-05-01 20:55:24',NULL,0,NULL,NULL,330,1,2,0,NULL),(331,1,1,'LSASS Memory Dump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:24','2020-05-01 20:55:24',NULL,0,NULL,NULL,331,1,2,0,NULL),(332,1,1,'LSASS Memory Dump File Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:24','2020-05-01 20:55:25',NULL,0,NULL,NULL,332,1,2,0,NULL),(333,1,1,'Malicious Named Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:25','2020-05-01 20:55:25',NULL,0,NULL,NULL,333,1,2,0,NULL),(334,1,1,'Suspicious Typical Malware Back Connect Ports',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:26','2020-05-01 20:55:26',NULL,0,NULL,NULL,334,1,2,0,NULL),(335,1,1,'Malware Shellcode in Verclsid Target Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:27','2020-05-01 20:55:27',NULL,0,NULL,NULL,335,1,2,0,NULL),(336,1,1,'Mimikatz In-Memory',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:55:27','2020-05-01 20:55:28',NULL,0,NULL,NULL,336,1,2,0,NULL),(337,1,1,'Mimikatz through Windows Remote Management',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:28','2020-05-01 20:55:28',NULL,0,NULL,NULL,337,1,2,0,NULL),(338,1,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,338,1,2,0,NULL),(339,1,1,'Narrator\'s Feedback-Hub Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,339,1,2,0,NULL),(340,1,1,'New DLL Added to AppCertDlls Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,340,1,2,0,NULL),(341,1,1,'New DLL Added to AppInit_DLLs Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,341,1,2,0,NULL),(342,1,1,'Password Dumper Remote Thread in LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,342,1,2,0,NULL),(343,1,1,'Possible DNS Rebinding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,343,1,2,0,NULL),(344,1,1,'Possible Privilege Escalation via Service Permissions Weakness',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:32','2020-05-01 20:55:32',NULL,0,NULL,NULL,344,1,2,0,NULL),(345,1,1,'PowerShell Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:32','2020-05-01 20:55:33',NULL,0,NULL,NULL,345,1,2,0,NULL),(346,1,1,'Malicious PowerShell Commandlet Names',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:33','2020-05-01 20:55:33',NULL,0,NULL,NULL,346,1,2,0,NULL),(347,1,1,'PowerShell Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,347,1,2,0,NULL),(348,1,1,'QuarksPwDump Dump File',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,348,1,2,0,NULL),(349,1,1,'Raw Disk Access Using Illegitimate Tools',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:35','2020-05-01 20:55:35',NULL,0,NULL,NULL,349,1,2,0,NULL),(350,1,1,'RDP Registry Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:35','2020-05-01 20:55:36',NULL,0,NULL,NULL,350,1,2,0,NULL),(351,1,1,'RDP Over Reverse SSH Tunnel',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:36','2020-05-01 20:55:36',NULL,0,NULL,NULL,351,1,2,0,NULL),(352,1,1,'RDP Sensitive Settings Changed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,352,1,2,0,NULL),(353,1,1,'Windows Registry Persistence COM Key Linking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,353,1,2,0,NULL),(354,1,1,'Windows Registry Persistence COM Search Order Hijacking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,354,1,2,0,NULL),(355,1,1,'Windows Registry Trust Record Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,355,1,2,0,NULL),(356,1,1,'Regsvr32 Network Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,356,1,2,0,NULL),(357,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,357,1,2,0,NULL),(358,1,1,'Renamed jusched.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,358,1,2,0,NULL),(359,1,1,'Renamed PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,359,1,2,0,NULL),(360,1,1,'Renamed ProcDump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:41','2020-05-01 20:55:41',NULL,0,NULL,NULL,360,1,2,0,NULL),(361,1,1,'Renamed PsExec',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:41','2020-05-01 20:55:42',NULL,0,NULL,NULL,361,1,2,0,NULL),(362,1,1,'Rundll32 Internet Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:42','2020-05-01 20:55:42',NULL,0,NULL,NULL,362,1,2,0,NULL),(363,1,1,'Security Support Provider (SSP) Added to LSA Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,363,1,2,0,NULL),(364,1,1,'Suspicious ADSI-Cache Usage By Unknown Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,364,1,2,0,NULL),(365,1,1,'Suspicious desktop.ini Action',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,365,1,2,0,NULL),(366,1,1,'Suspicious RUN Key from Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,366,1,2,0,NULL),(367,1,1,'Suspicious Driver Load from Temp',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,367,1,2,0,NULL),(368,1,1,'Suspicious File Characteristics Due to Missing Fields',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,368,1,2,0,NULL),(369,1,1,'Possible Process Hollowing Image Loading',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,369,1,2,0,NULL),(370,1,1,'DLL Load via LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,370,1,2,0,NULL),(371,1,1,'dotNET DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,371,1,2,0,NULL),(372,1,1,'CLR DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,372,1,2,0,NULL),(373,1,1,'GAC DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:48','2020-05-01 20:55:48',NULL,0,NULL,NULL,373,1,2,0,NULL),(374,1,1,'Active Directory Parsing DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:48','2020-05-01 20:55:49',NULL,0,NULL,NULL,374,1,2,0,NULL),(375,1,1,'Active Directory Kerberos DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:49','2020-05-01 20:55:49',NULL,0,NULL,NULL,375,1,2,0,NULL),(376,1,1,'PowerShell Rundll32 Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:49','2020-05-01 20:55:50',NULL,0,NULL,NULL,376,1,2,0,NULL),(377,1,1,'Suspicious PROCEXP152.sys File Created In TMP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:50','2020-05-01 20:55:50',NULL,0,NULL,NULL,377,1,2,0,NULL),(378,1,1,'Suspicious Program Location with Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,378,1,2,0,NULL),(379,1,1,'Suspicious Outbound RDP Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,379,1,2,0,NULL),(380,1,1,'Registry Persistence via Explorer Run Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,380,1,2,0,NULL),(381,1,1,'New RUN Key Pointing to Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,381,1,2,0,NULL),(382,1,1,'Suspicious Service Installed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,382,1,2,0,NULL),(383,1,1,'VBA DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,383,1,2,0,NULL),(384,1,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,384,1,2,0,NULL),(385,1,1,'Suspicious Keyboard Layout Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,385,1,2,0,NULL),(386,1,1,'Suspicious Outbound Kerberos Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,386,1,2,0,NULL),(387,1,1,'Suspicious Remote Thread Created',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,387,1,2,0,NULL),(388,1,1,'Svchost DLL Search Order Hijack',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:56','2020-05-01 20:55:56',NULL,0,NULL,NULL,388,1,2,0,NULL),(389,1,1,'Hijack Legit RDP Session to Move Laterally',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:56','2020-05-01 20:55:57',NULL,0,NULL,NULL,389,1,2,0,NULL),(390,1,1,'UAC Bypass via Event Viewer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:57','2020-05-01 20:55:57',NULL,0,NULL,NULL,390,1,2,0,NULL),(391,1,1,'UAC Bypass via Sdclt',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:57','2020-05-01 20:55:58',NULL,0,NULL,NULL,391,1,2,0,NULL),(392,1,1,'Unsigned Image Loaded Into LSASS Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:58','2020-05-01 20:55:58',NULL,0,NULL,NULL,392,1,2,0,NULL),(393,1,1,'Windows Webshell Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,393,1,2,0,NULL),(394,1,1,'Microsoft Binary Github Communication',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,394,1,2,0,NULL),(395,1,1,'Microsoft Binary Suspicious Communication Endpoint',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,395,1,2,0,NULL),(396,1,1,'Registry Persistence Mechanisms',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,396,1,2,0,NULL),(397,1,1,'WMI Event Subscription',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,397,1,2,0,NULL),(398,1,1,'WMI Modules Loaded',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,398,1,2,0,NULL),(399,1,1,'WMI Persistence - Command Line Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,399,1,2,0,NULL),(400,1,1,'WMI Persistence - Script Event Consumer File Write',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,400,1,2,0,NULL),(401,1,1,'Suspicious Scripting in a WMI Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,401,1,2,0,NULL),(402,1,1,'APT29',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,402,1,2,0,NULL),(403,1,1,'Baby Shark Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,403,1,2,0,NULL),(404,1,1,'Judgement Panda Credential Access Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,404,1,2,0,NULL),(405,1,1,'BlueMashroom DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:05','2020-05-01 20:56:05',NULL,0,NULL,NULL,405,1,2,0,NULL),(406,1,1,'WMIExec VBS Script',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:05','2020-05-01 20:56:06',NULL,0,NULL,NULL,406,1,2,0,NULL),(407,1,1,'CrackMapExecWin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:06','2020-05-01 20:56:06',NULL,0,NULL,NULL,407,1,2,0,NULL),(408,1,1,'Elise Backdoor',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:06','2020-05-01 20:56:07',NULL,0,NULL,NULL,408,1,2,0,NULL),(409,1,1,'Emissary Panda Malware SLLauncher',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:07','2020-05-01 20:56:07',NULL,0,NULL,NULL,409,1,2,0,NULL),(410,1,1,'Equation Group DLL_U Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,410,1,2,0,NULL),(411,1,1,'Hurricane Panda Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,411,1,2,0,NULL),(412,1,1,'Judgement Panda Exfil Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,412,1,2,0,NULL),(413,1,1,'Mustang Panda Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,413,1,2,0,NULL),(414,1,1,'Sofacy Trojan Loader Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:10','2020-05-01 20:56:10',NULL,0,NULL,NULL,414,1,2,0,NULL),(415,1,1,'Ps.exe Renamed SysInternals Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,415,1,2,0,NULL),(416,1,1,'TropicTrooper Campaign November 2018',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,416,1,2,0,NULL),(417,1,1,'Winnti Malware HK University Campaign',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:12','2020-05-01 20:56:12',NULL,0,NULL,NULL,417,1,2,0,NULL),(418,1,1,'ZxShell Malware',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:12','2020-05-01 20:56:13',NULL,0,NULL,NULL,418,1,2,0,NULL),(419,1,1,'Hiding Files with Attrib.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:13','2020-05-01 20:56:13',NULL,0,NULL,NULL,419,1,2,0,NULL),(420,1,1,'Modification of Boot Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-13 14:07:10',NULL,0,NULL,NULL,420,1,2,0,NULL),(421,1,1,'SquiblyTwo',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-01 20:56:15',NULL,0,NULL,NULL,421,1,2,0,NULL),(422,1,1,'Change Default File Association',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:15','2020-05-01 20:56:15',NULL,0,NULL,NULL,422,1,2,0,NULL),(423,1,1,'Cmdkey Cached Credentials Recon',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,423,1,2,0,NULL),(424,1,1,'CMSTP UAC Bypass via COM Object Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,424,1,2,0,NULL),(425,1,1,'Control Panel Items',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,425,1,2,0,NULL),(426,1,1,'Copying Sensitive Files with Credential Data',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,426,1,2,0,NULL),(427,1,1,'Fireball Archer Install',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:18','2020-05-01 20:56:18',NULL,0,NULL,NULL,427,1,2,0,NULL),(428,1,1,'Data Compressed - rar.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:18','2020-05-01 20:56:19',NULL,0,NULL,NULL,428,1,2,0,NULL),(429,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:19','2020-05-01 20:56:19',NULL,0,NULL,NULL,429,1,2,0,NULL),(430,1,1,'Encoded FromBase64String',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,430,1,2,0,NULL),(431,1,1,'Encoded IEX',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,431,1,2,0,NULL),(432,1,1,'Disable of ETW Trace',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,432,1,2,0,NULL),(433,1,1,'Exfiltration and Tunneling Tools Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,433,1,2,0,NULL),(434,1,1,'Exploit for CVE-2015-1641',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,434,1,2,0,NULL),(435,1,1,'Exploit for CVE-2017-0261',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,435,1,2,0,NULL),(436,1,1,'Droppers Exploiting CVE-2017-11882',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:23','2020-05-01 20:56:23',NULL,0,NULL,NULL,436,1,2,0,NULL),(437,1,1,'Exploit for CVE-2017-8759',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:23','2020-05-01 20:56:24',NULL,0,NULL,NULL,437,1,2,0,NULL),(438,1,1,'Exploiting SetupComplete.cmd CVE-2019-1378',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:24','2020-05-01 20:56:24',NULL,0,NULL,NULL,438,1,2,0,NULL),(439,1,1,'Exploiting CVE-2019-1388',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,439,1,2,0,NULL),(440,1,1,'Exploited CVE-2020-10189 Zoho ManageEngine',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,440,1,2,0,NULL),(441,1,1,'File or Folder Permissions Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,441,1,2,0,NULL),(442,1,1,'Grabbing Sensitive Hives via Reg Utility',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,442,1,2,0,NULL),(443,1,1,'Bloodhound and Sharphound Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,443,1,2,0,NULL),(444,1,1,'Koadic Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,444,1,2,0,NULL),(445,1,1,'Rubeus Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,445,1,2,0,NULL),(446,1,1,'SecurityXploded Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,446,1,2,0,NULL),(447,1,1,'HH.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,447,1,2,0,NULL),(448,1,1,'HTML Help Shell Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,448,1,2,0,NULL),(449,1,1,'Suspicious HWP Sub Processes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,449,1,2,0,NULL),(450,1,1,'Impacket Lateralization Detection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,450,1,2,0,NULL),(451,1,1,'Indirect Command Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,451,1,2,0,NULL),(452,1,1,'Suspicious Debugger Registration Cmdline',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,452,1,2,0,NULL),(453,1,1,'Interactive AT Job',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,453,1,2,0,NULL),(454,1,1,'Invoke-Obfuscation Obfuscated IEX Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,454,1,2,0,NULL),(455,1,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:33','2020-05-01 20:56:33',NULL,0,NULL,NULL,455,1,2,0,NULL),(456,1,1,'MSHTA Spwaned by SVCHOST',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:33','2020-05-01 20:56:34',NULL,0,NULL,NULL,456,1,2,0,NULL),(457,1,1,'Local Accounts Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:34','2020-05-01 20:56:34',NULL,0,NULL,NULL,457,1,2,0,NULL),(458,1,1,'LSASS Memory Dumping',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,458,1,2,0,NULL),(459,1,1,'Dridex Process Pattern',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,459,1,2,0,NULL),(460,1,1,'DTRACK Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,460,1,2,0,NULL),(461,1,1,'Emotet Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,461,1,2,0,NULL),(462,1,1,'Formbook Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,462,1,2,0,NULL),(463,1,1,'NotPetya Ransomware Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,463,1,2,0,NULL),(464,1,1,'QBot Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,464,1,2,0,NULL),(465,1,1,'Ryuk Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,465,1,2,0,NULL),(466,1,1,'WScript or CScript Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,466,1,2,0,NULL),(467,1,1,'Trickbot Malware Recon Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,467,1,2,0,NULL),(468,1,1,'WannaCry Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:40','2020-05-01 20:56:40',NULL,0,NULL,NULL,468,1,2,0,NULL),(469,1,1,'MavInject Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:40','2020-05-01 20:56:41',NULL,0,NULL,NULL,469,1,2,0,NULL),(470,1,1,'Meterpreter or Cobalt Strike Getsystem Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:41','2020-05-01 20:56:41',NULL,0,NULL,NULL,470,1,2,0,NULL),(471,1,1,'Mimikatz Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,471,1,2,0,NULL),(472,1,1,'MMC Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,472,1,2,0,NULL),(473,1,1,'MSHTA Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,473,1,2,0,NULL),(474,1,1,'Quick Execution of a Series of Suspicious Commands',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,474,1,2,0,NULL),(475,1,1,'Windows Network Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,475,1,2,0,NULL),(476,1,1,'Net.exe User Account Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,476,1,2,0,NULL),(477,1,1,'Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,477,1,2,0,NULL),(478,1,1,'Capture a Network Trace with netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,478,1,2,0,NULL),(479,1,1,'Netsh Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,479,1,2,0,NULL),(480,1,1,'Netsh RDP Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,480,1,2,0,NULL),(481,1,1,'Network Sniffing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:47','2020-05-01 20:56:47',NULL,0,NULL,NULL,481,1,2,0,NULL),(482,1,1,'New Service Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:47','2020-05-01 20:56:48',NULL,0,NULL,NULL,482,1,2,0,NULL),(483,1,1,'Non Interactive PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:48','2020-05-01 20:56:48',NULL,0,NULL,NULL,483,1,2,0,NULL),(484,1,1,'Microsoft Office Product Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,484,1,2,0,NULL),(485,1,1,'MS Office Product Spawning Exe in User Dir',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,485,1,2,0,NULL),(486,1,1,'Executable Used by PlugX in Uncommon Location',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,486,1,2,0,NULL),(487,1,1,'Possible Applocker Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,487,1,2,0,NULL),(488,1,1,'Detection of Possible Rotten Potato',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,488,1,2,0,NULL),(489,1,1,'Powershell AMSI Bypass via .NET Reflection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,489,1,2,0,NULL),(490,1,1,'Audio Capture via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,490,1,2,0,NULL),(491,1,1,'PowerShell Base64 Encoded Shellcode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,491,1,2,0,NULL),(492,1,1,'Suspicious Bitsadmin Job via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,492,1,2,0,NULL),(493,1,1,'Detection of PowerShell Execution via DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,493,1,2,0,NULL),(494,1,1,'PowerShell Downgrade Attack',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:56:54','2020-05-13 14:07:11',NULL,0,NULL,NULL,494,1,2,0,NULL),(495,1,1,'PowerShell Download from URL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:54','2020-05-01 20:56:54',NULL,0,NULL,NULL,495,1,2,0,NULL),(496,1,1,'FromBase64String Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:55','2020-05-01 20:56:55',NULL,0,NULL,NULL,496,1,2,0,NULL),(497,1,1,'Suspicious PowerShell Parameter Substring',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:55','2020-05-01 20:56:56',NULL,0,NULL,NULL,497,1,2,0,NULL),(498,1,1,'Suspicious XOR Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:56','2020-05-01 20:56:56',NULL,0,NULL,NULL,498,1,2,0,NULL),(499,1,1,'Default PowerSploit and Empire Schtasks Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:56','2020-05-01 20:56:57',NULL,0,NULL,NULL,499,1,2,0,NULL),(500,1,1,'Windows Processes Suspicious Parent Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:57','2020-05-01 20:56:57',NULL,0,NULL,NULL,500,1,2,0,NULL),(501,1,1,'Bitsadmin Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,501,1,2,0,NULL),(502,1,1,'Process Dump via Rundll32 and Comsvcs.dll',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,502,1,2,0,NULL),(503,1,1,'PsExec Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,503,1,2,0,NULL),(504,1,1,'Query Registry',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,504,1,2,0,NULL),(505,1,1,'MSTSC Shadowing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,505,1,2,0,NULL),(506,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,506,1,2,0,NULL),(507,1,1,'Discovery of a System Time',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:01','2020-05-01 20:57:01',NULL,0,NULL,NULL,507,1,2,0,NULL),(508,1,1,'Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,2,'2020-05-01 20:57:01','2020-05-13 14:07:11',NULL,0,NULL,NULL,508,1,2,0,NULL),(509,1,1,'Highly Relevant Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:02','2020-05-01 20:57:02',NULL,0,NULL,NULL,509,1,2,0,NULL),(510,1,1,'Execution of Renamed PaExec',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,510,1,2,0,NULL),(511,1,1,'Run PowerShell Script from ADS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,511,1,2,0,NULL),(512,1,1,'Possible Shim Database Persistence via sdbinst.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,512,1,2,0,NULL),(513,1,1,'Service Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,513,1,2,0,NULL),(514,1,1,'Stop Windows Service',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,514,1,2,0,NULL),(515,1,1,'Shadow Copies Access via Symlink',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,515,1,2,0,NULL),(516,1,1,'Shadow Copies Creation Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,516,1,2,0,NULL),(517,1,1,'Shadow Copies Deletion Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,517,1,2,0,NULL),(518,1,1,'Windows Shell Spawning Suspicious Program',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,518,1,2,0,NULL),(519,1,1,'Audio Capture via SoundRecorder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,519,1,2,0,NULL),(520,1,1,'Possible SPN Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,520,1,2,0,NULL),(521,1,1,'Possible Ransomware or Unauthorized MBR Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,521,1,2,0,NULL),(522,1,1,'Application Whitelisting Bypass via Bginfo',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,522,1,2,0,NULL),(523,1,1,'Suspicious Calculator Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,523,1,2,0,NULL),(524,1,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,524,1,2,0,NULL),(525,1,1,'Suspicious Certutil Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,525,1,2,0,NULL),(526,1,1,'Certutil Encode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:11','2020-05-01 20:57:11',NULL,0,NULL,NULL,526,1,2,0,NULL),(527,1,1,'Suspicious Commandline Escape',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:11','2020-05-01 20:57:12',NULL,0,NULL,NULL,527,1,2,0,NULL),(528,1,1,'Command Line Execution with Suspicious URL and AppData Strings',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:12','2020-05-01 20:57:12',NULL,0,NULL,NULL,528,1,2,0,NULL),(529,1,1,'Suspicious Code Page Switch',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:12','2020-05-01 20:57:13',NULL,0,NULL,NULL,529,1,2,0,NULL),(530,1,1,'Reconnaissance Activity with Net Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:13','2020-05-01 20:57:13',NULL,0,NULL,NULL,530,1,2,0,NULL),(531,1,1,'Suspicious Compression Tool Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,531,1,2,0,NULL),(532,1,1,'Process Dump via Comsvcs DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,532,1,2,0,NULL),(533,1,1,'Suspicious Control Panel DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,533,1,2,0,NULL),(534,1,1,'Copy from Admin Share',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,534,1,2,0,NULL),(535,1,1,'Suspicious Parent of Csc.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,535,1,2,0,NULL),(536,1,1,'Suspicious Csc.exe Source File Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,536,1,2,0,NULL),(537,1,1,'Curl Start Combination',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,537,1,2,0,NULL),(538,1,1,'ZOHO Dctask64 Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,538,1,2,0,NULL),(539,1,1,'Devtoolslauncher.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,539,1,2,0,NULL),(540,1,1,'Direct Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,540,1,2,0,NULL),(541,1,1,'Application Whitelisting Bypass via Dnx.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:19','2020-05-01 20:57:19',NULL,0,NULL,NULL,541,1,2,0,NULL),(542,1,1,'Suspicious Double Extension',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:19','2020-05-01 20:57:20',NULL,0,NULL,NULL,542,1,2,0,NULL),(543,1,1,'Application Whitelisting Bypass via Dxcap.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:20','2020-05-01 20:57:20',NULL,0,NULL,NULL,543,1,2,0,NULL),(544,1,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,544,1,2,0,NULL),(545,1,1,'Executables Started in Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,545,1,2,0,NULL),(546,1,1,'Execution in Non-Executable Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,546,1,2,0,NULL),(547,1,1,'Execution in Webserver Root Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,547,1,2,0,NULL),(548,1,1,'Firewall Disabled via Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,548,1,2,0,NULL),(549,1,1,'Fsutil Suspicious Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,549,1,2,0,NULL),(550,1,1,'Suspicious GUP Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,550,1,2,0,NULL),(551,1,1,'IIS Native-Code Module Command Line Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,551,1,2,0,NULL),(552,1,1,'Suspicious MsiExec Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:25','2020-05-01 20:57:25',NULL,0,NULL,NULL,552,1,2,0,NULL),(553,1,1,'MsiExec Web Install',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:25','2020-05-01 20:57:26',NULL,0,NULL,NULL,553,1,2,0,NULL),(554,1,1,'Malicious Payload Download via Office Binaries',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:26','2020-05-01 20:57:26',NULL,0,NULL,NULL,554,1,2,0,NULL),(555,1,1,'Net.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:27','2020-05-01 20:57:27',NULL,0,NULL,NULL,555,1,2,0,NULL),(556,1,1,'Suspicious Netsh DLL Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:27','2020-05-13 14:07:11',NULL,0,NULL,NULL,556,1,2,0,NULL),(557,1,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,557,1,2,0,NULL),(558,1,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,558,1,2,0,NULL),(559,1,1,'OpenWith.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,559,1,2,0,NULL),(560,1,1,'Suspicious Execution from Outlook',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,560,1,2,0,NULL),(561,1,1,'Execution in Outlook Temp Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,561,1,2,0,NULL),(562,1,1,'Ping Hex IP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,562,1,2,0,NULL),(563,1,1,'Empire PowerShell Launch Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,563,1,2,0,NULL),(564,1,1,'Empire PowerShell UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,564,1,2,0,NULL),(565,1,1,'Suspicious Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:32','2020-05-01 20:57:32',NULL,0,NULL,NULL,565,1,2,0,NULL),(566,1,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:32','2020-05-01 20:57:33',NULL,0,NULL,NULL,566,1,2,0,NULL),(567,1,1,'Suspicious PowerShell Invocation Based on Parent Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:33','2020-05-01 20:57:33',NULL,0,NULL,NULL,567,1,2,0,NULL),(568,1,1,'Suspicious Use of Procdump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,568,1,2,0,NULL),(569,1,1,'Suspicious Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,569,1,2,0,NULL),(570,1,1,'Suspicious Program Location Process Starts',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,570,1,2,0,NULL),(571,1,1,'PowerShell Script Run in AppData',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,571,1,2,0,NULL),(572,1,1,'PowerShell DownloadFile',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,572,1,2,0,NULL),(573,1,1,'Psr.exe Capture Screenshots',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,573,1,2,0,NULL),(574,1,1,'Suspicious RASdial Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,574,1,2,0,NULL),(575,1,1,'Suspicious Reconnaissance Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,575,1,2,0,NULL),(576,1,1,'Regsvr32 Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,576,1,2,0,NULL),(577,1,1,'Renamed ZOHO Dctask64',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,577,1,2,0,NULL),(578,1,1,'Suspicious Process Start Locations',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:39','2020-05-01 20:57:39',NULL,0,NULL,NULL,578,1,2,0,NULL),(579,1,1,'Suspicious Rundll32 Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:39','2020-05-01 20:57:40',NULL,0,NULL,NULL,579,1,2,0,NULL),(580,1,1,'Suspicious Call by Ordinal',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:40','2020-05-01 20:57:40',NULL,0,NULL,NULL,580,1,2,0,NULL),(581,1,1,'Scheduled Task Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,581,1,2,0,NULL),(582,1,1,'WSF/JSE/JS/VBA/VBE File Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,582,1,2,0,NULL),(583,1,1,'Suspicious Service Path Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,583,1,2,0,NULL),(584,1,1,'Squirrel Lolbin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,584,1,2,0,NULL),(585,1,1,'Suspicious Svchost Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,585,1,2,0,NULL),(586,1,1,'Suspect Svchost Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,586,1,2,0,NULL),(587,1,1,'Sysprep on AppData Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,587,1,2,0,NULL),(588,1,1,'Suspicious SYSVOL Domain Group Policy Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,588,1,2,0,NULL),(589,1,1,'Taskmgr as LOCAL_SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,589,1,2,0,NULL),(590,1,1,'Taskmgr as Parent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,590,1,2,0,NULL),(591,1,1,'Suspicious TSCON Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:46','2020-05-01 20:57:46',NULL,0,NULL,NULL,591,1,2,0,NULL),(592,1,1,'Suspicious RDP Redirect Using TSCON',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:46','2020-05-01 20:57:47',NULL,0,NULL,NULL,592,1,2,0,NULL),(593,1,1,'Suspicious Use of CSharp Interactive Console',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:47','2020-05-01 20:57:47',NULL,0,NULL,NULL,593,1,2,0,NULL),(594,1,1,'Suspicious Userinit Child Process',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:47','2020-05-01 20:57:48',NULL,0,NULL,NULL,594,1,2,0,NULL),(595,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:48','2020-05-01 20:57:48',NULL,0,NULL,NULL,595,1,2,0,NULL),(596,1,1,'Suspicious WMI Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,596,1,2,0,NULL),(597,1,1,'Sysmon Driver Unload',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,597,1,2,0,NULL),(598,1,1,'System File Execution Location Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,598,1,2,0,NULL),(599,1,1,'Tap Installer Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,599,1,2,0,NULL),(600,1,1,'Tasks Folder Evasion',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,600,1,2,0,NULL),(601,1,1,'Terminal Service Process Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,601,1,2,0,NULL),(602,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,602,1,2,0,NULL),(603,1,1,'Bypass UAC via CMSTP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,603,1,2,0,NULL),(604,1,1,'Bypass UAC via Fodhelper.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,604,1,2,0,NULL),(605,1,1,'Bypass UAC via WSReset.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,605,1,2,0,NULL),(606,1,1,'Possible Privilege Escalation via Weak Service Permissions',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:54','2020-05-01 20:57:54',NULL,0,NULL,NULL,606,1,2,0,NULL),(607,1,1,'Java Running with Remote Debugging',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:54','2020-05-01 20:57:55',NULL,0,NULL,NULL,607,1,2,0,NULL),(608,1,1,'Webshell Detection With Command Line Keywords',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:55','2020-05-01 20:57:55',NULL,0,NULL,NULL,608,1,2,0,NULL),(609,1,1,'Shells Spawned by Web Servers',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:55','2020-05-01 20:57:56',NULL,0,NULL,NULL,609,1,2,0,NULL),(610,1,1,'Run Whoami as SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:56','2020-05-01 20:57:56',NULL,0,NULL,NULL,610,1,2,0,NULL),(611,1,1,'Windows 10 Scheduled Task SandboxEscaper 0-day',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,611,1,2,0,NULL),(612,1,1,'WMI Backdoor Exchange Transport Agent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,612,1,2,0,NULL),(613,1,1,'WMI Persistence - Script Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,613,1,2,0,NULL),(614,1,1,'WMI Spawning Windows PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,614,1,2,0,NULL),(615,1,1,'Wmiprvse Spawning Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,615,1,2,0,NULL),(616,1,1,'Microsoft Workflow Compiler',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,616,1,2,0,NULL),(617,1,1,'Wsreset UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:58:00','2020-05-01 20:58:00',NULL,0,NULL,NULL,617,1,2,0,NULL),(618,1,1,'XSL Script Processing',NULL,NULL,NULL,4,NULL,1,NULL,9,3,'2020-05-01 20:58:00','2020-05-03 10:00:57',NULL,0,NULL,NULL,618,1,2,0,NULL),(620,1,1,'New Sensitive Shared Resource',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 13:30:57','2020-05-13 13:30:57',NULL,0,NULL,NULL,620,1,2,0,NULL),(621,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:05:41','2020-05-13 14:05:41',NULL,0,NULL,NULL,621,1,2,0,NULL),(622,1,1,'Advanced IP Scanner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:09','2020-05-13 14:07:09',NULL,0,NULL,NULL,622,1,2,0,NULL),(623,1,1,'Harvesting of Wifi Credentials Using netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:11','2020-05-13 14:07:11',NULL,0,NULL,NULL,623,1,2,0,NULL); /*!40000 ALTER TABLE `issues` ENABLE KEYS */; UNLOCK TABLES; @@ -827,7 +825,7 @@ CREATE TABLE `journal_details` ( `value` longtext, PRIMARY KEY (`id`), KEY `journal_details_journal_id` (`journal_id`) -) ENGINE=InnoDB AUTO_INCREMENT=14 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -836,7 +834,6 @@ CREATE TABLE `journal_details` ( LOCK TABLES `journal_details` WRITE; /*!40000 ALTER TABLE `journal_details` DISABLE KEYS */; -INSERT INTO `journal_details` VALUES (5,621,'attr','status_id','2','3'),(6,621,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: XSL Script Processing\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\nstatus: experimental\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\n  the processing and rendering of data within XML files, rule detects when adversaries\n  abuse this functionality to execute arbitrary files while potentially bypassing\n  application whitelisting defenses\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n  - Image|endswith: \\wmic.exe\n    CommandLine|contains: /format\n  - Image|endswith: \\msxsl.exe\n  condition: selection\nfalsepositives:\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\n- msxsl.exe is not installed by default so unlikely.\nlevel: medium\ntags:\n- attack.execution\n- attack.t1220\n\n
\n}}','{{collapse(View Sigma)\r\n
\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n  the processing and rendering of data within XML files, rule detects when adversaries\r\n  abuse this functionality to execute arbitrary files while potentially bypassing\r\n  application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n  - Image|endswith: \\wmic.exe\r\n    CommandLine|contains: /format\r\n  - Image|endswith: \\msxsl.exe\r\n  condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(7,622,'cf','7','','gVP62XEBH72G5DlCexmq'),(8,623,'attr','status_id','3','4'),(9,627,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data.\n  This tactic is sometimes used as by malware or an attacker as a destructive technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n- attack.impact\n- attack.t1490\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection1:\n    Image|endswith: \\bcdedit.exe\n    CommandLine: set\n  selection2:\n  - CommandLine|contains|all:\n    - bootstatuspolicy\n    - ignoreallfailures\n  - CommandLine|contains|all:\n    - recoveryenabled\n    - no\n  condition: selection1 and selection2\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n    technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: \\bcdedit.exe\n        CommandLine|contains: set\n    selection2:\n        - CommandLine|contains|all:\n            - bootstatuspolicy\n            - ignoreallfailures\n        - CommandLine|contains|all:\n            - recoveryenabled\n            - \'no\'\n    condition: selection1 and selection2\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n\n
\n}}'),(10,629,'cf','9','{{collapse(View Sigma)\n
\n\naction: global\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n- id: 6331d09b-4785-4c13-980f-f96661356249\n  type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with\n  the actually used engine version 2.0\nreferences:\n- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n- Penetration Test\n- Unknown\nlevel: medium\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    CommandLine|contains:\n    - \' -version 2 \'\n    - \' -versio 2 \'\n    - \' -versi 2 \'\n    - \' -vers 2 \'\n    - \' -ver 2 \'\n    - \' -ve 2 \'\n    Image|endswith: \\powershell.exe\n  condition: selection\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n  - id: 6331d09b-4785-4c13-980f-f96661356249\n    type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n    - Penetration Test\n    - Unknown\nlevel: medium\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: \n            - \' -version 2 \'\n            - \' -versio 2 \'\n            - \' -versi 2 \'\n            - \' -vers 2 \'\n            - \' -ver 2 \'\n            - \' -ve 2 \'        \n        Image|endswith: \'\\powershell.exe\'\n    condition: selection\n\n
\n}}'),(11,630,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n  malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community\n  (improvements)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    OriginalFileName:\n    - cmd.exe\n    - powershell.exe\n    - powershell_ise.exe\n    - psexec.exe\n    - psexec.c\n    - cscript.exe\n    - wscript.exe\n    - mshta.exe\n    - regsvr32.exe\n    - wmic.exe\n    - certutil.exe\n    - rundll32.exe\n    - cmstp.exe\n    - msiexec.exe\n    - 7z.exe\n    - winrar.exe\n    - wevtutil.exe\n    - net.exe\n    - net1.exe\n  filter:\n    Image|endswith:\n    - \\cmd.exe\n    - \\powershell.exe\n    - \\powershell_ise.exe\n    - \\psexec.exe\n    - \\psexec64.exe\n    - \\cscript.exe\n    - \\wscript.exe\n    - \\mshta.exe\n    - \\regsvr32.exe\n    - \\wmic.exe\n    - \\certutil.exe\n    - \\rundll32.exe\n    - \\cmstp.exe\n    - \\msiexec.exe\n    - \\7z.exe\n    - \\winrar.exe\n    - \\wevtutil.exe\n    - \\net.exe\n    - \\net1.exe\n  condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n  this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n    - https://attack.mitre.org/techniques/T1036/\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n    - attack.t1036\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - \'cmd.exe\'\n            - \'powershell.exe\'\n            - \'powershell_ise.exe\'\n            - \'psexec.exe\'\n            - \'psexec.c\'  # old versions of psexec (2016 seen)\n            - \'cscript.exe\'\n            - \'wscript.exe\'\n            - \'mshta.exe\'\n            - \'regsvr32.exe\'\n            - \'wmic.exe\'\n            - \'certutil.exe\'\n            - \'rundll32.exe\'\n            - \'cmstp.exe\'\n            - \'msiexec.exe\'\n            - \'7z.exe\'\n            - \'winrar.exe\'\n            - \'wevtutil.exe\'\n            - \'net.exe\'\n            - \'net1.exe\'\n            - \'netsh.exe\'\n    filter:\n        Image|endswith:\n            - \'\\cmd.exe\'\n            - \'\\powershell.exe\'\n            - \'\\powershell_ise.exe\'\n            - \'\\psexec.exe\'\n            - \'\\psexec64.exe\'\n            - \'\\cscript.exe\'\n            - \'\\wscript.exe\'\n            - \'\\mshta.exe\'\n            - \'\\regsvr32.exe\'\n            - \'\\wmic.exe\'\n            - \'\\certutil.exe\'\n            - \'\\rundll32.exe\'\n            - \'\\cmstp.exe\'\n            - \'\\msiexec.exe\'\n            - \'\\7z.exe\'\n            - \'\\winrar.exe\'\n            - \'\\wevtutil.exe\'\n            - \'\\net.exe\'\n            - \'\\net1.exe\'\n            - \'\\netsh.exe\'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(12,631,'cf','9','{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: test\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n- attack.persistence\n- attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    Image|endswith: \\netsh.exe\n    CommandLine|contains|all:\n    - add\n    - helper\n  condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n
\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n    - attack.persistence\n    - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n    category: process_creation\n    product: windows   \ndetection:\n    selection:\n        Image|endswith: \'\\netsh.exe\'\n        CommandLine|contains|all:\n            - \'add\'\n            - \'helper\'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n\n
\n}}'); /*!40000 ALTER TABLE `journal_details` ENABLE KEYS */; UNLOCK TABLES; @@ -860,7 +857,7 @@ CREATE TABLE `journals` ( KEY `index_journals_on_user_id` (`user_id`), KEY `index_journals_on_journalized_id` (`journalized_id`), KEY `index_journals_on_created_on` (`created_on`) -) ENGINE=InnoDB AUTO_INCREMENT=633 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=8218 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -869,7 +866,6 @@ CREATE TABLE `journals` ( LOCK TABLES `journals` WRITE; /*!40000 ALTER TABLE `journals` DISABLE KEYS */; -INSERT INTO `journals` VALUES (311,313,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:14',0),(312,314,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(313,315,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(314,316,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(315,317,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(316,318,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(317,319,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(318,320,'Issue',9,'Play imported successfully.','2020-05-01 20:55:18',0),(319,321,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(320,322,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(321,323,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(322,324,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(323,325,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(324,326,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(325,327,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(326,328,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(327,329,'Issue',9,'Play imported successfully.','2020-05-01 20:55:23',0),(328,330,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(329,331,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(330,332,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(331,333,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(332,334,'Issue',9,'Play imported successfully.','2020-05-01 20:55:26',0),(333,335,'Issue',9,'Play imported successfully.','2020-05-01 20:55:27',0),(334,336,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:28',0),(335,337,'Issue',9,'Play imported successfully.','2020-05-01 20:55:28',0),(336,338,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(337,339,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(338,340,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(339,341,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(340,342,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(341,343,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(342,344,'Issue',9,'Play imported successfully.','2020-05-01 20:55:32',0),(343,345,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(344,346,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(345,347,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(346,348,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(347,349,'Issue',9,'Play imported successfully.','2020-05-01 20:55:35',0),(348,350,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(349,351,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(350,352,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(351,353,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(352,354,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(353,355,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(354,356,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(355,357,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(356,358,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(357,359,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(358,360,'Issue',9,'Play imported successfully.','2020-05-01 20:55:41',0),(359,361,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(360,362,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(361,363,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(362,364,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(363,365,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(364,366,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(365,367,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(366,368,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(367,369,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(368,370,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(369,371,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(370,372,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(371,373,'Issue',9,'Play imported successfully.','2020-05-01 20:55:48',0),(372,374,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(373,375,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(374,376,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(375,377,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(376,378,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(377,379,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(378,380,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(379,381,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(380,382,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(381,383,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(382,384,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(383,385,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(384,386,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(385,387,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(386,388,'Issue',9,'Play imported successfully.','2020-05-01 20:55:56',0),(387,389,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(388,390,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(389,391,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(390,392,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(391,393,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(392,394,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(393,395,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(394,396,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(395,397,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(396,398,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(397,399,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(398,400,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(399,401,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(400,402,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(401,403,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(402,404,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(403,405,'Issue',9,'Play imported successfully.','2020-05-01 20:56:05',0),(404,406,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(405,407,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(406,408,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(407,409,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(408,410,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(409,411,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(410,412,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(411,413,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(412,414,'Issue',9,'Play imported successfully.','2020-05-01 20:56:10',0),(413,415,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(414,416,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(415,417,'Issue',9,'Play imported successfully.','2020-05-01 20:56:12',0),(416,418,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(417,419,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(418,420,'Issue',9,'Play imported successfully.','2020-05-01 20:56:14',0),(419,421,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(420,422,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(421,423,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(422,424,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(423,425,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(424,426,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(425,427,'Issue',9,'Play imported successfully.','2020-05-01 20:56:18',0),(426,428,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(427,429,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(428,430,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(429,431,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(430,432,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(431,433,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(432,434,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(433,435,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(434,436,'Issue',9,'Play imported successfully.','2020-05-01 20:56:23',0),(435,437,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(436,438,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(437,439,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(438,440,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(439,441,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(440,442,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(441,443,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(442,444,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(443,445,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(444,446,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(445,447,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(446,448,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(447,449,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(448,450,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(449,451,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(450,452,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(451,453,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(452,454,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(453,455,'Issue',9,'Play imported successfully.','2020-05-01 20:56:33',0),(454,456,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(455,457,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(456,458,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(457,459,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(458,460,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(459,461,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(460,462,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(461,463,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(462,464,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(463,465,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(464,466,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(465,467,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(466,468,'Issue',9,'Play imported successfully.','2020-05-01 20:56:40',0),(467,469,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(468,470,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(469,471,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(470,472,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(471,473,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(472,474,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(473,475,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(474,476,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(475,477,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(476,478,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(477,479,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(478,480,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(479,481,'Issue',9,'Play imported successfully.','2020-05-01 20:56:47',0),(480,482,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(481,483,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(482,484,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(483,485,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(484,486,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(485,487,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(486,488,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(487,489,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(488,490,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(489,491,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(490,492,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(491,493,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(492,494,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:56:54',0),(493,495,'Issue',9,'Play imported successfully.','2020-05-01 20:56:54',0),(494,496,'Issue',9,'Play imported successfully.','2020-05-01 20:56:55',0),(495,497,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(496,498,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(497,499,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(498,500,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(499,501,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(500,502,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(501,503,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(502,504,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(503,505,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(504,506,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(505,507,'Issue',9,'Play imported successfully.','2020-05-01 20:57:01',0),(506,508,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(507,509,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(508,510,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(509,511,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(510,512,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(511,513,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(512,514,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(513,515,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(514,516,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(515,517,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(516,518,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(517,519,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(518,520,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(519,521,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(520,522,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(521,523,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(522,524,'Issue',9,'Play imported successfully.','2020-05-01 20:57:10',0),(523,525,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(524,526,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(525,527,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(526,528,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(527,529,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(528,530,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(529,531,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(530,532,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(531,533,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(532,534,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(533,535,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(534,536,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(535,537,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(536,538,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(537,539,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(538,540,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(539,541,'Issue',9,'Play imported successfully.','2020-05-01 20:57:19',0),(540,542,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(541,543,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(542,544,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(543,545,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(544,546,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(545,547,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(546,548,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(547,549,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(548,550,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(549,551,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(550,552,'Issue',9,'Play imported successfully.','2020-05-01 20:57:25',0),(551,553,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(552,554,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(553,555,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(554,556,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(555,557,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(556,558,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(557,559,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(558,560,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(559,561,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(560,562,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(561,563,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(562,564,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(563,565,'Issue',9,'Play imported successfully.','2020-05-01 20:57:32',0),(564,566,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(565,567,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(566,568,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(567,569,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(568,570,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(569,571,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(570,572,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(571,573,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(572,574,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(573,575,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(574,576,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(575,577,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(576,578,'Issue',9,'Play imported successfully.','2020-05-01 20:57:39',0),(577,579,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(578,580,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(579,581,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(580,582,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(581,583,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(582,584,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(583,585,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(584,586,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(585,587,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(586,588,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(587,589,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(588,590,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(589,591,'Issue',9,'Play imported successfully.','2020-05-01 20:57:46',0),(590,592,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(591,593,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(592,594,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(593,595,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(594,596,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(595,597,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(596,598,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(597,599,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(598,600,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(599,601,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(600,602,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(601,603,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(602,604,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(603,605,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(604,606,'Issue',9,'Play imported successfully.','2020-05-01 20:57:54',0),(605,607,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(606,608,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(607,609,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(608,610,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(609,611,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(610,612,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(611,613,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(612,614,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(613,615,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(614,616,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(615,617,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(616,618,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(621,618,'Issue',8,'','2020-05-03 09:59:49',0),(622,618,'Issue',9,'','2020-05-03 10:00:04',0),(623,618,'Issue',8,'','2020-05-03 10:00:57',0),(624,620,'Issue',9,'Play imported successfully.','2020-05-13 13:30:57',0),(625,621,'Issue',9,'Play imported successfully.','2020-05-13 14:05:41',0),(626,622,'Issue',9,'Play imported successfully.','2020-05-13 14:07:09',0),(627,420,'Issue',9,'','2020-05-13 14:07:10',0),(628,623,'Issue',9,'Play imported successfully.','2020-05-13 14:07:11',0),(629,494,'Issue',9,'','2020-05-13 14:07:11',0),(630,508,'Issue',9,'','2020-05-13 14:07:11',0),(631,556,'Issue',9,'','2020-05-13 14:07:11',0); /*!40000 ALTER TABLE `journals` ENABLE KEYS */; UNLOCK TABLES; @@ -898,7 +894,7 @@ CREATE TABLE `member_roles` ( LOCK TABLES `member_roles` WRITE; /*!40000 ALTER TABLE `member_roles` DISABLE KEYS */; -INSERT INTO `member_roles` VALUES (1,1,5,NULL),(2,2,3,NULL),(3,3,4,NULL),(4,4,5,1),(5,5,3,2),(7,7,4,3); +INSERT INTO `member_roles` VALUES (1,1,5,NULL),(2,2,3,NULL),(3,3,4,NULL),(4,4,5,1),(7,7,4,3); /*!40000 ALTER TABLE `member_roles` ENABLE KEYS */; UNLOCK TABLES; @@ -928,7 +924,7 @@ CREATE TABLE `members` ( LOCK TABLES `members` WRITE; /*!40000 ALTER TABLE `members` DISABLE KEYS */; -INSERT INTO `members` VALUES (1,6,1,'2020-04-26 18:44:14',0),(2,5,1,'2020-04-26 18:44:23',0),(3,7,1,'2020-04-26 18:45:27',0),(4,9,1,'2020-04-26 18:47:51',0),(5,8,1,'2020-04-26 18:48:00',0),(7,1,1,'2020-05-01 16:42:56',0); +INSERT INTO `members` VALUES (1,6,1,'2020-04-26 18:44:14',0),(2,5,1,'2020-04-26 18:44:23',0),(3,7,1,'2020-04-26 18:45:27',0),(4,9,1,'2020-04-26 18:47:51',0),(7,1,1,'2020-05-01 16:42:56',0); /*!40000 ALTER TABLE `members` ENABLE KEYS */; UNLOCK TABLES; @@ -1090,7 +1086,7 @@ CREATE TABLE `projects` ( LOCK TABLES `projects` WRITE; /*!40000 ALTER TABLE `projects` DISABLE KEYS */; -INSERT INTO `projects` VALUES (1,'Detection Playbooks','','',0,NULL,'2020-04-26 13:13:01','2020-04-26 13:13:01','detection-playbooks',1,1,2,0,NULL,NULL); +INSERT INTO `projects` VALUES (1,'Detection Playbooks','','',1,NULL,'2020-04-26 13:13:01','2020-07-10 19:33:53','detection-playbooks',1,1,2,0,NULL,NULL); /*!40000 ALTER TABLE `projects` ENABLE KEYS */; UNLOCK TABLES; @@ -1141,7 +1137,7 @@ CREATE TABLE `queries` ( PRIMARY KEY (`id`), KEY `index_queries_on_project_id` (`project_id`), KEY `index_queries_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1150,7 +1146,7 @@ CREATE TABLE `queries` ( LOCK TABLES `queries` WRITE; /*!40000 ALTER TABLE `queries` DISABLE KEYS */; -INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); +INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_18\n- :cf_19\n- :cf_20\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(9,NULL,'Active Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\nstatus_id:\n :operator: \"=\"\n :values:\n - \'3\'\n',1,'---\n- :status\n- :cf_10\n- :cf_13\n- :cf_18\n- :cf_19\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); /*!40000 ALTER TABLE `queries` ENABLE KEYS */; UNLOCK TABLES; @@ -1241,7 +1237,7 @@ CREATE TABLE `roles` ( LOCK TABLES `roles` WRITE; /*!40000 ALTER TABLE `roles` DISABLE KEYS */; -INSERT INTO `roles` VALUES (1,'Non member',0,1,1,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(2,'Anonymous',0,1,2,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(3,'Security-Analyst',1,0,0,'---\n- :save_queries\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :sigma_editor\n','all','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(4,'SuperAdmin',2,0,0,'---\n- :add_project\n- :edit_project\n- :close_project\n- :select_project_modules\n- :manage_members\n- :manage_versions\n- :add_subprojects\n- :manage_public_queries\n- :save_queries\n- :manage_hook\n- :view_messages\n- :add_messages\n- :edit_messages\n- :edit_own_messages\n- :delete_messages\n- :delete_own_messages\n- :manage_boards\n- :view_calendar\n- :view_documents\n- :add_documents\n- :edit_documents\n- :delete_documents\n- :view_files\n- :manage_files\n- :view_gantt\n- :view_issues\n- :edit_issues\n- :edit_own_issues\n- :copy_issues\n- :manage_issue_relations\n- :manage_subtasks\n- :set_issues_private\n- :set_own_issues_private\n- :add_issue_notes\n- :edit_issue_notes\n- :edit_own_issue_notes\n- :view_private_notes\n- :set_notes_private\n- :delete_issues\n- :view_issue_watchers\n- :add_issue_watchers\n- :delete_issue_watchers\n- :import_issues\n- :manage_categories\n- :view_news\n- :manage_news\n- :comment_news\n- :view_changesets\n- :browse_repository\n- :commit_access\n- :manage_related_issues\n- :manage_repository\n- :sigma_editor\n- :view_time_entries\n- :log_time\n- :edit_time_entries\n- :edit_own_time_entries\n- :manage_project_activities\n- :log_time_for_other_users\n- :import_time_entries\n- :view_wiki_pages\n- :view_wiki_edits\n- :export_wiki_pages\n- :edit_wiki_pages\n- :rename_wiki_pages\n- :delete_wiki_pages\n- :delete_wiki_pages_attachments\n- :protect_wiki_pages\n- :manage_wiki\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(5,'Automation',3,0,0,'---\n- :view_issues\n- :add_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :import_issues\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'); +INSERT INTO `roles` VALUES (1,'Non member',0,1,1,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(2,'Anonymous',0,1,2,'---\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(3,'Security-Analyst',1,0,0,'---\n- :save_queries\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :sigma_editor\n','all','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(4,'SuperAdmin',2,0,0,'---\n- :add_project\n- :edit_project\n- :close_project\n- :select_project_modules\n- :manage_members\n- :manage_versions\n- :add_subprojects\n- :manage_public_queries\n- :save_queries\n- :manage_hook\n- :view_messages\n- :add_messages\n- :edit_messages\n- :edit_own_messages\n- :delete_messages\n- :delete_own_messages\n- :manage_boards\n- :view_calendar\n- :view_documents\n- :add_documents\n- :edit_documents\n- :delete_documents\n- :view_files\n- :manage_files\n- :view_gantt\n- :view_issues\n- :edit_issues\n- :edit_own_issues\n- :copy_issues\n- :manage_issue_relations\n- :manage_subtasks\n- :set_issues_private\n- :set_own_issues_private\n- :add_issue_notes\n- :edit_issue_notes\n- :edit_own_issue_notes\n- :view_private_notes\n- :set_notes_private\n- :delete_issues\n- :view_issue_watchers\n- :add_issue_watchers\n- :delete_issue_watchers\n- :import_issues\n- :manage_categories\n- :view_news\n- :manage_news\n- :comment_news\n- :view_changesets\n- :browse_repository\n- :commit_access\n- :manage_related_issues\n- :manage_repository\n- :sigma_editor\n- :view_time_entries\n- :log_time\n- :edit_time_entries\n- :edit_own_time_entries\n- :manage_project_activities\n- :log_time_for_other_users\n- :import_time_entries\n- :view_wiki_pages\n- :view_wiki_edits\n- :export_wiki_pages\n- :edit_wiki_pages\n- :rename_wiki_pages\n- :delete_wiki_pages\n- :delete_wiki_pages_attachments\n- :protect_wiki_pages\n- :manage_wiki\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(5,'Automation',3,0,0,'---\n- :view_issues\n- :add_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :import_issues\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'); /*!40000 ALTER TABLE `roles` ENABLE KEYS */; UNLOCK TABLES; @@ -1314,7 +1310,7 @@ CREATE TABLE `settings` ( LOCK TABLES `settings` WRITE; /*!40000 ALTER TABLE `settings` DISABLE KEYS */; -INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','1','2020-04-26 13:11:54'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.178:7000/playbook/sigmac\ncreate_url: http://10.66.166.178:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); +INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','0','2020-07-10 19:32:45'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.188:7000/playbook/sigmac\ncreate_url: http://10.66.166.188:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); /*!40000 ALTER TABLE `settings` ENABLE KEYS */; UNLOCK TABLES; @@ -1375,7 +1371,7 @@ CREATE TABLE `tokens` ( PRIMARY KEY (`id`), UNIQUE KEY `tokens_value` (`value`), KEY `index_tokens_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=55 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=62 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1384,7 +1380,7 @@ CREATE TABLE `tokens` ( LOCK TABLES `tokens` WRITE; /*!40000 ALTER TABLE `tokens` DISABLE KEYS */; -INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(8,8,'feeds','1f28542e983dc0a3abfc81013ff7f008f1cb6800','2020-04-26 18:50:50','2020-04-26 18:50:50'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(36,8,'session','47616205d262d3e3f05665038888edc463b872d9','2020-05-01 19:41:12','2020-05-01 19:44:24'),(39,8,'session','a4d98ddceb539f8a5d2f99ee4f4274f711f6dc14','2020-05-01 20:40:23','2020-05-01 20:40:27'),(45,8,'session','b7346c8089e9b6237d9438f7c08ce014ad46d5d2','2020-05-03 09:13:00','2020-05-03 10:01:34'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(47,8,'session','1adb4bf696b7a4eafedf633cef7dee28e138ec01','2020-05-06 20:52:43','2020-05-06 20:52:48'),(54,8,'session','c1d788feea4bc194f6b24005943807b477bc1fb8','2020-05-13 14:23:44','2020-05-13 14:29:25'); +INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'),(61,1,'session','b01f95709ca1ab086a049cf9c5afd81ca9d4526e','2020-07-15 16:30:42','2020-07-15 16:31:40'); /*!40000 ALTER TABLE `tokens` ENABLE KEYS */; UNLOCK TABLES; @@ -1442,7 +1438,7 @@ CREATE TABLE `user_preferences` ( LOCK TABLES `user_preferences` WRITE; /*!40000 ALTER TABLE `user_preferences` DISABLE KEYS */; -INSERT INTO `user_preferences` VALUES (1,1,'---\n:no_self_notified: \'1\'\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:recently_used_project_ids: \'1\'\n',1,''),(2,8,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''),(3,9,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''); +INSERT INTO `user_preferences` VALUES (1,1,'---\n:no_self_notified: \'1\'\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:recently_used_project_ids: \'1\'\n',1,''),(3,9,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''); /*!40000 ALTER TABLE `user_preferences` ENABLE KEYS */; UNLOCK TABLES; @@ -1485,7 +1481,7 @@ CREATE TABLE `users` ( LOCK TABLES `users` WRITE; /*!40000 ALTER TABLE `users` DISABLE KEYS */; -INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-05-13 14:22:22','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(8,'analyst','adfc2e9391aa2ce34a02ce5bcc225efe853ee6cc','analyst','analyst',0,1,'2020-05-13 14:23:44','en',NULL,'2020-04-26 18:46:48','2020-04-26 18:46:48','User',NULL,'none','6b5dc1c8429a1c7d69375d723f7e3207',0,'2020-04-26 18:46:48'),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); +INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-07-15 16:30:42','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); /*!40000 ALTER TABLE `users` ENABLE KEYS */; UNLOCK TABLES; @@ -1571,7 +1567,7 @@ CREATE TABLE `webhooks` ( LOCK TABLES `webhooks` WRITE; /*!40000 ALTER TABLE `webhooks` DISABLE KEYS */; -INSERT INTO `webhooks` VALUES (1,'http://10.66.166.178:7000/playbook/webhook',1); +INSERT INTO `webhooks` VALUES (1,'http://10.66.166.188:7000/playbook/webhook',1); /*!40000 ALTER TABLE `webhooks` ENABLE KEYS */; UNLOCK TABLES; @@ -1746,7 +1742,7 @@ CREATE TABLE `workflows` ( KEY `index_workflows_on_role_id` (`role_id`), KEY `index_workflows_on_new_status_id` (`new_status_id`), KEY `index_workflows_on_tracker_id` (`tracker_id`) -) ENGINE=InnoDB AUTO_INCREMENT=247 DEFAULT CHARSET=latin1; +) ENGINE=InnoDB AUTO_INCREMENT=648 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -1755,7 +1751,7 @@ CREATE TABLE `workflows` ( LOCK TABLES `workflows` WRITE; /*!40000 ALTER TABLE `workflows` DISABLE KEYS */; -INSERT INTO `workflows` VALUES (116,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(117,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(118,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(119,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(120,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(121,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(122,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(123,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(124,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(125,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(126,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(127,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(128,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(129,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(130,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(131,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(133,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(135,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(136,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(137,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(138,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(139,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(140,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(141,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(142,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(143,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(144,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(145,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(146,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(147,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(148,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(149,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(150,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(152,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(154,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(155,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(156,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(157,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(158,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(159,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(160,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(161,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(162,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(163,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(164,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(165,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(166,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(167,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(168,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(169,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(171,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(173,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(174,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(175,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(176,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(177,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(178,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(179,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(180,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(181,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(182,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(183,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(184,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(185,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(186,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(187,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(188,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(190,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(192,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(193,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(194,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(195,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(196,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(197,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(198,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(199,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(200,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(201,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(202,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(203,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(204,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(205,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(206,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(207,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(209,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL); +INSERT INTO `workflows` VALUES (132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(223,1,2,6,3,0,0,'WorkflowTransition',NULL,NULL),(224,1,2,6,4,0,0,'WorkflowTransition',NULL,NULL),(225,1,2,6,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(235,1,6,3,3,0,0,'WorkflowTransition',NULL,NULL),(236,1,6,3,4,0,0,'WorkflowTransition',NULL,NULL),(237,1,6,3,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL),(352,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(353,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(354,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(355,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(356,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(357,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(358,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(359,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(360,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(361,1,2,0,3,0,0,'WorkflowPermission','20','readonly'),(362,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(363,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(364,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(365,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(366,1,2,0,3,0,0,'WorkflowPermission','19','readonly'),(367,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(368,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(369,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(370,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(371,1,2,0,3,0,0,'WorkflowPermission','22','readonly'),(372,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(373,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(374,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(375,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(376,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(377,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(378,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(379,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(380,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(381,1,3,0,3,0,0,'WorkflowPermission','20','readonly'),(382,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(383,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(384,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(385,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(386,1,3,0,3,0,0,'WorkflowPermission','19','readonly'),(387,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(388,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(389,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(390,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(391,1,3,0,3,0,0,'WorkflowPermission','22','readonly'),(392,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(393,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(394,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(395,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(396,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(397,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(398,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(399,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(400,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(401,1,4,0,3,0,0,'WorkflowPermission','20','readonly'),(402,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(403,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(404,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(405,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(406,1,4,0,3,0,0,'WorkflowPermission','19','readonly'),(407,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(408,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(409,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(410,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(411,1,4,0,3,0,0,'WorkflowPermission','22','readonly'),(412,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(413,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(414,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(415,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(416,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(417,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(418,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(419,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(420,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(421,1,5,0,3,0,0,'WorkflowPermission','20','readonly'),(422,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(423,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(424,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(425,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(426,1,5,0,3,0,0,'WorkflowPermission','19','readonly'),(427,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(428,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(429,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(430,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(431,1,5,0,3,0,0,'WorkflowPermission','22','readonly'),(432,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(433,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(434,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(435,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(436,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(437,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(438,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(439,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(440,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(441,1,6,0,3,0,0,'WorkflowPermission','20','readonly'),(442,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(443,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(444,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(445,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(446,1,6,0,3,0,0,'WorkflowPermission','19','readonly'),(447,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(448,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(449,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(450,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(451,1,6,0,3,0,0,'WorkflowPermission','22','readonly'),(537,1,2,0,2,0,0,'WorkflowPermission','project_id','readonly'),(538,1,2,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(539,1,2,0,2,0,0,'WorkflowPermission','subject','readonly'),(540,1,2,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(541,1,2,0,2,0,0,'WorkflowPermission','is_private','readonly'),(542,1,2,0,2,0,0,'WorkflowPermission','description','readonly'),(543,1,2,0,2,0,0,'WorkflowPermission','1','readonly'),(544,1,2,0,2,0,0,'WorkflowPermission','2','readonly'),(545,1,2,0,2,0,0,'WorkflowPermission','10','readonly'),(546,1,2,0,2,0,0,'WorkflowPermission','20','readonly'),(547,1,2,0,2,0,0,'WorkflowPermission','8','readonly'),(548,1,2,0,2,0,0,'WorkflowPermission','15','readonly'),(549,1,2,0,2,0,0,'WorkflowPermission','11','readonly'),(550,1,2,0,2,0,0,'WorkflowPermission','12','readonly'),(551,1,2,0,2,0,0,'WorkflowPermission','19','readonly'),(552,1,2,0,2,0,0,'WorkflowPermission','17','readonly'),(553,1,2,0,2,0,0,'WorkflowPermission','7','readonly'),(554,1,2,0,2,0,0,'WorkflowPermission','3','readonly'),(555,1,2,0,2,0,0,'WorkflowPermission','5','readonly'),(556,1,2,0,2,0,0,'WorkflowPermission','6','readonly'),(557,1,2,0,2,0,0,'WorkflowPermission','22','readonly'),(558,1,3,0,2,0,0,'WorkflowPermission','project_id','readonly'),(559,1,3,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(560,1,3,0,2,0,0,'WorkflowPermission','subject','readonly'),(561,1,3,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(562,1,3,0,2,0,0,'WorkflowPermission','is_private','readonly'),(563,1,3,0,2,0,0,'WorkflowPermission','description','readonly'),(564,1,3,0,2,0,0,'WorkflowPermission','1','readonly'),(565,1,3,0,2,0,0,'WorkflowPermission','2','readonly'),(566,1,3,0,2,0,0,'WorkflowPermission','10','readonly'),(567,1,3,0,2,0,0,'WorkflowPermission','20','readonly'),(568,1,3,0,2,0,0,'WorkflowPermission','8','readonly'),(569,1,3,0,2,0,0,'WorkflowPermission','15','readonly'),(570,1,3,0,2,0,0,'WorkflowPermission','11','readonly'),(571,1,3,0,2,0,0,'WorkflowPermission','12','readonly'),(572,1,3,0,2,0,0,'WorkflowPermission','19','readonly'),(573,1,3,0,2,0,0,'WorkflowPermission','17','readonly'),(574,1,3,0,2,0,0,'WorkflowPermission','7','readonly'),(575,1,3,0,2,0,0,'WorkflowPermission','3','readonly'),(576,1,3,0,2,0,0,'WorkflowPermission','5','readonly'),(577,1,3,0,2,0,0,'WorkflowPermission','6','readonly'),(578,1,3,0,2,0,0,'WorkflowPermission','22','readonly'),(579,1,4,0,2,0,0,'WorkflowPermission','project_id','readonly'),(580,1,4,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(581,1,4,0,2,0,0,'WorkflowPermission','subject','readonly'),(582,1,4,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(583,1,4,0,2,0,0,'WorkflowPermission','is_private','readonly'),(584,1,4,0,2,0,0,'WorkflowPermission','description','readonly'),(585,1,4,0,2,0,0,'WorkflowPermission','1','readonly'),(586,1,4,0,2,0,0,'WorkflowPermission','2','readonly'),(587,1,4,0,2,0,0,'WorkflowPermission','10','readonly'),(588,1,4,0,2,0,0,'WorkflowPermission','20','readonly'),(589,1,4,0,2,0,0,'WorkflowPermission','8','readonly'),(590,1,4,0,2,0,0,'WorkflowPermission','15','readonly'),(591,1,4,0,2,0,0,'WorkflowPermission','11','readonly'),(592,1,4,0,2,0,0,'WorkflowPermission','12','readonly'),(593,1,4,0,2,0,0,'WorkflowPermission','19','readonly'),(594,1,4,0,2,0,0,'WorkflowPermission','17','readonly'),(595,1,4,0,2,0,0,'WorkflowPermission','7','readonly'),(596,1,4,0,2,0,0,'WorkflowPermission','3','readonly'),(597,1,4,0,2,0,0,'WorkflowPermission','5','readonly'),(598,1,4,0,2,0,0,'WorkflowPermission','6','readonly'),(599,1,4,0,2,0,0,'WorkflowPermission','22','readonly'),(600,1,5,0,2,0,0,'WorkflowPermission','project_id','readonly'),(601,1,5,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(602,1,5,0,2,0,0,'WorkflowPermission','subject','readonly'),(603,1,5,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(604,1,5,0,2,0,0,'WorkflowPermission','is_private','readonly'),(605,1,5,0,2,0,0,'WorkflowPermission','description','readonly'),(606,1,5,0,2,0,0,'WorkflowPermission','1','readonly'),(607,1,5,0,2,0,0,'WorkflowPermission','2','readonly'),(608,1,5,0,2,0,0,'WorkflowPermission','10','readonly'),(609,1,5,0,2,0,0,'WorkflowPermission','20','readonly'),(610,1,5,0,2,0,0,'WorkflowPermission','8','readonly'),(611,1,5,0,2,0,0,'WorkflowPermission','15','readonly'),(612,1,5,0,2,0,0,'WorkflowPermission','11','readonly'),(613,1,5,0,2,0,0,'WorkflowPermission','12','readonly'),(614,1,5,0,2,0,0,'WorkflowPermission','19','readonly'),(615,1,5,0,2,0,0,'WorkflowPermission','17','readonly'),(616,1,5,0,2,0,0,'WorkflowPermission','7','readonly'),(617,1,5,0,2,0,0,'WorkflowPermission','3','readonly'),(618,1,5,0,2,0,0,'WorkflowPermission','5','readonly'),(619,1,5,0,2,0,0,'WorkflowPermission','6','readonly'),(620,1,5,0,2,0,0,'WorkflowPermission','22','readonly'),(621,1,6,0,2,0,0,'WorkflowPermission','project_id','readonly'),(622,1,6,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(623,1,6,0,2,0,0,'WorkflowPermission','subject','readonly'),(624,1,6,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(625,1,6,0,2,0,0,'WorkflowPermission','is_private','readonly'),(626,1,6,0,2,0,0,'WorkflowPermission','description','readonly'),(627,1,6,0,2,0,0,'WorkflowPermission','1','readonly'),(628,1,6,0,2,0,0,'WorkflowPermission','2','readonly'),(629,1,6,0,2,0,0,'WorkflowPermission','10','readonly'),(630,1,6,0,2,0,0,'WorkflowPermission','20','readonly'),(631,1,6,0,2,0,0,'WorkflowPermission','8','readonly'),(632,1,6,0,2,0,0,'WorkflowPermission','15','readonly'),(633,1,6,0,2,0,0,'WorkflowPermission','11','readonly'),(634,1,6,0,2,0,0,'WorkflowPermission','12','readonly'),(635,1,6,0,2,0,0,'WorkflowPermission','19','readonly'),(636,1,6,0,2,0,0,'WorkflowPermission','17','readonly'),(637,1,6,0,2,0,0,'WorkflowPermission','7','readonly'),(638,1,6,0,2,0,0,'WorkflowPermission','3','readonly'),(639,1,6,0,2,0,0,'WorkflowPermission','5','readonly'),(640,1,6,0,2,0,0,'WorkflowPermission','6','readonly'),(641,1,6,0,2,0,0,'WorkflowPermission','22','readonly'),(642,1,2,3,2,0,0,'WorkflowTransition',NULL,NULL),(643,1,2,6,2,0,0,'WorkflowTransition',NULL,NULL),(644,1,3,4,2,0,0,'WorkflowTransition',NULL,NULL),(645,1,4,5,2,0,0,'WorkflowTransition',NULL,NULL),(646,1,4,6,2,0,0,'WorkflowTransition',NULL,NULL),(647,1,6,3,2,0,0,'WorkflowTransition',NULL,NULL); /*!40000 ALTER TABLE `workflows` ENABLE KEYS */; UNLOCK TABLES; /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; @@ -1768,4 +1764,4 @@ UNLOCK TABLES; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; --- Dump completed on 2020-05-13 15:01:33 +-- Dump completed on 2020-07-15 16:33:41 diff --git a/salt/playbook/files/redmine.db b/salt/playbook/files/redmine.db deleted file mode 100644 index 520f0b3c3..000000000 Binary files a/salt/playbook/files/redmine.db and /dev/null differ diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 2282d8518..44b806f9a 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,22 +1,14 @@ -{% set MASTERIP = salt['pillar.get']('master:mainip', '') %} +{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint', salt['pillar.get']('host:mainint')))))[0] %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} +{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook', None) -%} -{% if salt['mysql.db_exists']('playbook') %} - #Playbook database exists - Do nothing -{% else %} -salt://playbook/files/playbook_db_init.sh: - cmd.script: - - cwd: /root - - template: jinja - -'sleep 5': - cmd.run -{% endif %} - +include: + - mysql + create_playbookdbuser: module.run: - mysql.user_create: @@ -40,7 +32,7 @@ query_playbookdbuser_grants: query_updatwebhooks: mysql_query.run: - database: playbook - - query: "update webhooks set url = 'http://{{MASTERIP}}:7000/playbook/webhook' where project_id = 1" + - query: "update webhooks set url = 'http://{{MANAGERIP}}:7000/playbook/webhook' where project_id = 1" - connection_host: {{ MAINIP }} - connection_port: 3306 - connection_user: root @@ -53,8 +45,8 @@ query_updatepluginurls: update settings set value = "--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess project: '1' - convert_url: http://{{MASTERIP}}:7000/playbook/sigmac - create_url: http://{{MASTERIP}}:7000/playbook/play" + convert_url: http://{{MANAGERIP}}:7000/playbook/sigmac + create_url: http://{{MANAGERIP}}:7000/playbook/play" where id = 43 - connection_host: {{ MAINIP }} - connection_port: 3306 @@ -73,11 +65,11 @@ playbook_password_none: so-playbook: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-playbook:{{ VERSION }} - hostname: playbook - name: so-playbook - environment: - - REDMINE_DB_MYSQL={{ MASTERIP }} + - REDMINE_DB_MYSQL={{ MANAGERIP }} - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index 609806de8..177dabf3a 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -13,7 +13,7 @@ def run(): STATICFILE = f"{LOCAL_SALT_DIR}/pillar/static.sls" SECRETSFILE = f"{LOCAL_SALT_DIR}/pillar/secrets.sls" - if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch','standalone']: + if MINIONID.split('_')[-1] in ['manager','eval','fleet','managersearch','standalone']: if ACTION == 'enablefleet': logging.info('so/fleet enablefleet reactor') @@ -27,7 +27,7 @@ def run(): if ROLE == 'so-fleet': line = re.sub(r'fleet_node: \S*', f"fleet_node: True", line.rstrip()) else: - line = re.sub(r'fleet_master: \S*', f"fleet_master: True", line.rstrip()) + line = re.sub(r'fleet_manager: \S*', f"fleet_manager: True", line.rstrip()) print(line) # Update the enroll secret in the secrets pillar @@ -50,16 +50,17 @@ def run(): PACKAGEVERSION = data['data']['current-package-version'] PACKAGEHOSTNAME = data['data']['package-hostname'] - MASTER = data['data']['master'] + MANAGER = data['data']['manager'] VERSION = data['data']['version'] ESECRET = data['data']['enroll-secret'] + IMAGEREPO = data['data']['imagerepo'] # Increment the package version by 1 PACKAGEVERSION += 1 # Run Docker container that will build the packages gen_packages = subprocess.run(["docker", "run","--rm", "--mount", f"type=bind,source={LOCAL_SALT_DIR}/salt/fleet/packages,target=/output", \ - "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \ + "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/{ IMAGEREPO }/so-fleet-launcher:{ VERSION }", \ f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') # Update the 'packages-built' timestamp on the webpage (stored in the static pillar) @@ -82,7 +83,7 @@ def run(): # Update the Fleet host in the static pillar for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_custom_hostname: \S*', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip()) + line = re.sub(r'fleet_custom_hostname:.*\n', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip()) print(line) return {} diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 3b2f662f3..5a981e688 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -12,9 +12,9 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} # Redis Setup redisconfdir: @@ -48,7 +48,7 @@ redisconfsync: so-redis: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-redis:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} - hostname: so-redis - user: socore - port_bindings: diff --git a/salt/soc/files/kratos/kratos.yaml b/salt/soc/files/kratos/kratos.yaml index 7939ec35b..2171971bc 100644 --- a/salt/soc/files/kratos/kratos.yaml +++ b/salt/soc/files/kratos/kratos.yaml @@ -1,4 +1,4 @@ -{%- set WEBACCESS = salt['pillar.get']('master:url_base', '') -%} +{%- set WEBACCESS = salt['pillar.get']('manager:url_base', '') -%} {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%} selfservice: diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 2d7e9be28..517816fcd 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -1,33 +1,33 @@ { - "title": "Introducing Hybrid Hunter 1.4.1 Beta 3", + "title": "Security Onion 2.0.0 RC1 is here!", "changes": [ - { "summary": "Fix install script to handle hostnames properly." }, - { "summary": "Complete overhaul of the way we handle custom and default settings and data. You will now see a default and local directory under the saltstack directory. All customizations are stored in local." }, - { "summary": "The way firewall rules are handled has been completely revamped. This will allow the user to customize firewall rules much easier." }, - { "summary": "Users can now change their own password in SOC." }, - { "summary": "Hunt now allows users to enable auto-hunt. This is a toggle which, when enabled, automatically submits a new hunt when filtering, grouping, etc." }, - { "summary": "Title bar now reflects current Hunt query. This will assist users in locating a previous query from their browser history." }, - { "summary": "Zeek 3.0.7" }, - { "summary": "Elastic 7.7.1" }, - { "summary": "Suricata can now be used for meta data generation." }, - { "summary": "Suricata eve.json has been moved to `/nsm` to align with storage of other data." }, - { "summary": "Suricata will now properly rotate its logs." }, - { "summary": "Grafana dashboards now work properly in standalone mode." }, - { "summary": "Kibana Dashboard updates including osquery, community_id." }, - { "summary": "New Elasticsearch Ingest processor to generate community_id from any log that includes the required fields." }, - { "summary": "Community_id generated for additional logs: Zeek HTTP/SMTP/ , Sysmon shipped with Osquery or Winlogbeat." }, - { "summary": "Major streamlining of Fleet setup & configuration - no need to run a secondary setup script anymore." }, - { "summary": "Fleet Standalone node now includes the ability to set a FQDN to point osquery endpoints to." }, - { "summary": "Distributed installs now support ingesting Windows Eventlogs via Winlogbeat - includes full parsing support for Sysmon." }, - { "summary": "SOC Downloads section now includes a link to the supported version of Winlogbeat." }, - { "summary": "Basic syslog ingestion capability now included." }, - { "summary": "Elasticsearch index name transition fixes for various components." }, - { "summary": "Updated URLs for pivot fields in Kibana." }, - { "summary": "Instances of \"hive\" renamed to \"thehive\"." }, - { "summary": "KNOWN ISSUE: The Hunt feature is currently considered \"Preview\" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!" }, - { "summary": "KNOWN ISSUE: You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt." }, - { "summary": "KNOWN ISSUE: Navigator is currently not working when using hostname to access SOC. IP mode works correctly." }, - { "summary": "KNOWN ISSUE: Due to the move to ECS, the current Playbook plays may not alert correctly at this time." }, - { "summary": "KNOWN ISSUE: The osquery MacOS package does not install correctly." } + { "summary": "Re-branded 2.0 to give it a fresh look." }, + { "summary": "All documentation has moved to https://docs.securityonion.net/en/2.0" }, + { "summary": "soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date." }, + { "summary": "so-import-pcap is back! See the docs here: http://docs.securityonion.net/en/2.0/so-import-pcap." }, + { "summary": "Fixed issue with so-features-enable." }, + { "summary": "Users can now pivot to PCAP from Suricata alerts." }, + { "summary": "ISO install now prompts users to create an admin/sudo user instead of using a default account name." }, + { "summary": "The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet." }, + { "summary": "Fixed issue with disk cleanup." }, + { "summary": "Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files." }, + { "summary": "Locked down access to certain SSL keys." }, + { "summary": "Suricata logs now compress after they roll over." }, + { "summary": "Users can now easily customize shard counts per index." }, + { "summary": "Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)." }, + { "summary": "Elastic nodes are now HOT by default, making it easier to add a warm node later." }, + { "summary": "so-allow now runs at the end of an install so users can enable access right away." }, + { "summary": "Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to event.severity:
  • 1 = Low
  • 2 = Medium
  • 3 = High
  • 4 = Critical
" }, + { "summary": "Initial implementation of alerting queues:
  • Low & Medium alerts are accessible through Kibana & Hunt.
  • High & Critical alerts are accessible through Kibana, Hunt and TheHive for immediate analysis.
" }, + { "summary": "ATT&CK Navigator is now a statically-hosted site in the nginx container." }, + { "summary": "Playbook updates:
  • All Sigma rules in the community repo (500+) are now imported and kept up to date.
  • Initial implementation of automated testing when a Play's detection logic has been edited (i.e., Unit Testing).
  • Updated UI Theme.
  • Once authenticated through SOC, users can now access Playbook with analyst permissions without login.
" }, + { "summary": "Kolide Launcher has been updated to include the ability to pass arbitrary flags. This new functionality was sponsored by SOS." }, + { "summary": "Fixed issue with Wazuh authd registration service port not being correctly exposed." }, + { "summary": "Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools." }, + { "summary": "Added option to so-allow for external Strelka file uploads (e.g., via strelka-fileshot)." }, + { "summary": "Added default YARA rules for Strelka. Default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base." }, + { "summary": "Added the ability to use custom Zeek scripts." }, + { "summary": "Renamed master server to manager node." }, + { "summary": "Improved unification of Zeek and Strelka file data." } ] } diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 090db59ea..31e49fc86 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -1,4 +1,4 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') -%} {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%} { "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", @@ -12,10 +12,10 @@ "jobDir": "jobs" }, "kratos": { - "hostUrl": "http://{{ MASTERIP }}:4434/" + "hostUrl": "http://{{ MANAGERIP }}:4434/" }, "elastic": { - "hostUrl": "http://{{ MASTERIP }}:9200", + "hostUrl": "http://{{ MANAGERIP }}:9200", "username": "", "password": "", "verifyCert": false @@ -78,12 +78,12 @@ "su" : ["soc_timestamp", "message" ], "sudo" : ["soc_timestamp", "message" ], "systemd": ["soc_timestamp", "message" ], - "sysmon": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "computer_name", "event_id", "parent_image_path", "source_name", "task", "username" ], - "wineventlog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "computer_name", "event_id", "log_name", "source_name", "task" ] + "sysmon": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "host.name", "event.dataset", "parent_image_path", "source_name", "task", "user.name" ], + "wineventlog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "host.name", "event.code", "event.dataset", "source_name", "task" ] }, "queries": [ { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"}, - { "name": "Log Type", "description": "Show all events grouped by type", "query": "* | groupby event.module"}, + { "name": "Log Type", "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"}, { "name": "Elastalerts", "description": "", "query": "_type:elastalert | groupby rule.name"}, { "name": "Alerts", "description": "Show all alerts grouped by alert source", "query": "event.dataset: alert | groupby event.module"}, { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert name", "query": "event.category: network AND event.dataset: alert | groupby rule.name"}, @@ -91,8 +91,8 @@ { "name": "Wazuh/OSSEC Commands", "description": "Show all Wazuh alerts grouped by command line", "query": "event.module:ossec AND event.dataset:alert | groupby process.command_line"}, { "name": "Wazuh/OSSEC Processes", "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name"}, { "name": "Wazuh/OSSEC Users", "description": "Show all Wazuh alerts grouped by username", "query": "event.module:ossec AND event.dataset:alert | groupby user.name"}, - { "name": "Sysmon Events", "description": "Show all Sysmon logs grouped by event_id", "query": "event_type:sysmon | groupby event_id"}, - { "name": "Sysmon Usernames", "description": "Show all Sysmon logs grouped by username", "query": "event_type:sysmon | groupby username"}, + { "name": "Sysmon Events", "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"}, + { "name": "Sysmon Usernames", "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"}, { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"}, { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"}, { "name": "Connections", "description": "Connections grouped by Service", "query": "event.dataset:conn | groupby network.protocol destination.port"}, @@ -107,8 +107,9 @@ { "name": "DNS", "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"}, { "name": "DNS", "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"}, { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"}, - { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:files | groupby file.mime_type source.ip"}, - { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:files | groupby file.source source.ip"}, + { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason"}, + { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"}, + { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"}, { "name": "FTP", "description": "FTP grouped by argument", "query": "event.dataset:ftp | groupby ftp.argument"}, { "name": "FTP", "description": "FTP grouped by command", "query": "event.dataset:ftp | groupby ftp.command"}, { "name": "FTP", "description": "FTP grouped by username", "query": "event.dataset:ftp | groupby ftp.user"}, diff --git a/salt/soc/init.sls b/salt/soc/init.sls index cc2c9dfd6..e3fdf538a 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -1,5 +1,6 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} socdir: file.directory: @@ -33,7 +34,7 @@ socsync: so-soc: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-soc:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }} - hostname: soc - name: so-soc - binds: @@ -84,7 +85,7 @@ kratossync: so-kratos: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-kratos:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kratos:{{ VERSION }} - hostname: kratos - name: so-kratos - binds: diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index e5878cb70..477113376 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,9 +1,10 @@ -{%- set MASTER = salt['pillar.get']('master:url_base', '') %} +{%- set MANAGER = salt['pillar.get']('manager:url_base', '') %} {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %} [es] -es_url = http://{{MASTER}}:9200 +es_url = http://{{MANAGER}}:9200 +es_ip = {{MANAGER}} es_user = YOURESUSER es_pass = YOURESPASS es_index_pattern = so-* @@ -11,7 +12,7 @@ es_verifycert = no [cortex] auto_analyze_alerts = no -cortex_url = https://{{MASTER}}/cortex/ +cortex_url = https://{{MANAGER}}/cortex/ cortex_key = {{ CORTEXKEY }} supported_analyzers = Urlscan_io_Search,CERTatPassiveDNS @@ -32,7 +33,7 @@ grr_user = YOURGRRUSER grr_pass = YOURGRRPASS [hive] -hive_url = https://{{MASTER}}/thehive/ +hive_url = https://{{MANAGER}}/thehive/ hive_key = {{ HIVEKEY }} hive_tlp = 3 hive_verifycert = no @@ -59,9 +60,11 @@ slack_url = YOURSLACKWORKSPACE slack_webhook = YOURSLACKWEBHOOK [playbook] -playbook_url = https://{{MASTER}}/playbook +playbook_url = http://{{MANAGER}}:3200/playbook +playbook_ext_url = https://{{MANAGER}}/playbook playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f playbook_verifycert = no +playbook_unit_test_index = playbook-testing [log] logfile = /var/log/SOCtopus/soctopus.log diff --git a/salt/soctopus/files/templates/es-generic.template b/salt/soctopus/files/templates/es-generic.template index cdda8a19b..b56050741 100644 --- a/salt/soctopus/files/templates/es-generic.template +++ b/salt/soctopus/files/templates/es-generic.template @@ -1,4 +1,4 @@ -{% set ES = salt['pillar.get']('static:masterip', '') %} +{% set ES = salt['pillar.get']('static:managerip', '') %} alert: modules.so.playbook-es.PlaybookESAlerter elasticsearch_host: "{{ ES }}:9200" diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 68dc040fc..7bb5a969d 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -1,5 +1,5 @@ -{% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} +{% set es = salt['pillar.get']('static:managerip', '') %} +{% set hivehost = salt['pillar.get']('static:managerip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} alert: hivealerter @@ -23,3 +23,15 @@ hive_alert_config: status: 'New' follow: True caseTemplate: '5000' + +alert: modules.so.playbook-es.PlaybookESAlerter +elasticsearch_host: "{{ es }}:9200" +play_title: "" +event.module: "playbook" +event.dataset: "alert" +event.severity: +rule.category: +play_url: "https://{{ es }}/playbook/issues/6000" +kibana_pivot: "https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" +soc_pivot: "https://{{es}}/#/hunt" +sigma_level: "" \ No newline at end of file diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template index 28ea29ee9..4fff9a1d5 100644 --- a/salt/soctopus/files/templates/osquery.template +++ b/salt/soctopus/files/templates/osquery.template @@ -1,5 +1,5 @@ -{% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} +{% set es = salt['pillar.get']('static:managerip', '') %} +{% set hivehost = salt['pillar.get']('static:managerip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} alert: hivealerter @@ -31,3 +31,14 @@ hive_alert_config: caseTemplate: '5000' +alert: modules.so.playbook-es.PlaybookESAlerter +elasticsearch_host: "{{ es }}:9200" +play_title: "" +event.module: "playbook" +event.dataset: "alert" +event.severity: +rule.category: +play_url: "https://{{ es }}/playbook/issues/6000" +kibana_pivot: "https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" +soc_pivot: "https://{{es}}/#/hunt" +sigma_level: "" \ No newline at end of file diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index ff30c3c1a..3fcdf8717 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,7 +1,8 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} -{%- set MASTER_URL = salt['pillar.get']('master:url_base', '') %} -{%- set MASTER_IP = salt['pillar.get']('static:masterip', '') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} +{%- set MANAGER_URL = salt['pillar.get']('manager:url_base', '') %} +{%- set MANAGER_IP = salt['pillar.get']('static:managerip', '') %} soctopusdir: file.directory: @@ -10,7 +11,7 @@ soctopusdir: - group: 939 - makedirs: True -soctopussync: +soctopus-sync: file.recurse: - name: /opt/so/conf/soctopus/templates - source: salt://soctopus/files/templates @@ -24,7 +25,6 @@ soctopusconf: - source: salt://soctopus/files/SOCtopus.conf - user: 939 - group: 939 - - replace: False - mode: 600 - template: jinja @@ -49,19 +49,9 @@ playbookrulessync: - group: 939 - template: jinja -navigatordefaultlayer: - file.managed: - - name: /opt/so/conf/navigator/nav_layer_playbook.json - - source: salt://navigator/files/nav_layer_playbook.json - - user: 939 - - group: 939 - - makedirs: True - - replace: False - - template: jinja - so-soctopus: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soctopus:{{ VERSION }} - hostname: soctopus - name: so-soctopus - binds: @@ -72,4 +62,4 @@ so-soctopus: - port_bindings: - 0.0.0.0:7000:7000 - extra_hosts: - - {{MASTER_URL}}:{{MASTER_IP}} + - {{MANAGER_URL}}:{{MANAGER_IP}} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index fb8e9571a..efa3032dc 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,5 +1,5 @@ -{% set master = salt['grains.get']('master') %} -{% set masterip = salt['pillar.get']('static:masterip', '') %} +{% set manager = salt['grains.get']('master') %} +{% set managerip = salt['pillar.get']('static:managerip', '') %} {% set HOSTNAME = salt['grains.get']('host') %} {% set global_ca_text = [] %} {% set global_ca_server = [] %} @@ -7,13 +7,13 @@ {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} -{% if grains.id.split('_')|last in ['master', 'eval', 'standalone'] %} +{% if grains.id.split('_')|last in ['manager', 'eval', 'standalone'] %} {% set trusttheca_text = salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %} {% set ca_server = grains.id %} {% else %} {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %} {% for host in x509dict %} - {% if 'master' in host.split('_')|last or host.split('_')|last == 'standalone' %} + {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} {% do global_ca_server.append(host) %} {% endif %} @@ -43,7 +43,7 @@ m2cryptopkgs: - ca_server: {{ ca_server }} - signing_policy: influxdb - public_key: /etc/pki/influxdb.key - - CN: {{ master }} + - CN: {{ manager }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -52,7 +52,14 @@ m2cryptopkgs: bits: 4096 backup: True -{% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %} +influxkeyperms: + file.managed: + - replace: False + - name: /etc/pki/influxdb.key + - mode: 640 + - group: 939 + +{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone'] %} # Request a cert and drop it where it needs to go to be distributed /etc/pki/filebeat.crt: @@ -63,7 +70,7 @@ m2cryptopkgs: {% if grains.role == 'so-heavynode' %} - CN: {{grains.id}} {% else %} - - CN: {{master}} + - CN: {{manager}} {% endif %} - days_remaining: 0 - days_valid: 820 @@ -75,6 +82,13 @@ m2cryptopkgs: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" +fbperms: + file.managed: + - replace: False + - name: /etc/pki/filebeat.key + - mode: 640 + - group: 939 + chownilogstashfilebeatp8: file.managed: - replace: False @@ -105,7 +119,7 @@ fbcrtlink: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/registry.key - - CN: {{ master }} + - CN: {{ manager }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -114,25 +128,40 @@ fbcrtlink: bits: 4096 backup: True +regkeyperms: + file.managed: + - replace: False + - name: /etc/pki/registry.key + - mode: 640 + - group: 939 + # Create a cert for the reverse proxy -/etc/pki/masterssl.crt: +/etc/pki/managerssl.crt: x509.certificate_managed: - ca_server: {{ ca_server }} - - signing_policy: masterssl - - public_key: /etc/pki/masterssl.key - - CN: {{ master }} + - signing_policy: managerssl + - public_key: /etc/pki/managerssl.key + - CN: {{ manager }} + - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - days_remaining: 0 - days_valid: 820 - backup: True - managed_private_key: - name: /etc/pki/masterssl.key + name: /etc/pki/managerssl.key bits: 4096 backup: True +msslkeyperms: + file.managed: + - replace: False + - name: /etc/pki/managerssl.key + - mode: 640 + - group: 939 + # Create a private key and cert for OSQuery /etc/pki/fleet.key: x509.private_key_managed: - - CN: {{ master }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -141,8 +170,8 @@ fbcrtlink: /etc/pki/fleet.crt: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - - CN: {{ master }} - - subjectAltName: DNS:{{ master }},IP:{{ masterip }} + - CN: {{ manager }} + - subjectAltName: DNS:{{ manager }},IP:{{ managerip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -151,8 +180,15 @@ fbcrtlink: bits: 4096 backup: True +fleetkeyperms: + file.managed: + - replace: False + - name: /etc/pki/fleet.key + - mode: 640 + - group: 939 + {% endif %} -{% if grains['role'] in ['so-sensor', 'so-master', 'so-node', 'so-eval', 'so-helix', 'so-mastersearch', 'so-heavynode', 'so-fleet', 'so-standalone'] %} +{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone'] %} fbcertdir: file.directory: @@ -168,7 +204,7 @@ fbcertdir: {% if grains.role == 'so-heavynode' %} - CN: {{grains.id}} {% else %} - - CN: {{master}} + - CN: {{manager}} {% endif %} - days_remaining: 0 - days_valid: 820 @@ -183,6 +219,13 @@ filebeatpkcs: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:" +filebeatkeyperms: + file.managed: + - replace: False + - name: /opt/so/conf/filebeat/etc/pki/filebeat.key + - mode: 640 + - group: 939 + chownfilebeatp8: file.managed: - replace: False @@ -196,21 +239,27 @@ chownfilebeatp8: {% if grains['role'] == 'so-fleet' %} # Create a cert for the reverse proxy -/etc/pki/masterssl.crt: +/etc/pki/managerssl.crt: x509.certificate_managed: - ca_server: {{ ca_server }} - - signing_policy: masterssl - - public_key: /etc/pki/masterssl.key + - signing_policy: managerssl + - public_key: /etc/pki/managerssl.key - CN: {{ HOSTNAME }} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - days_remaining: 0 - days_valid: 820 - backup: True - managed_private_key: - name: /etc/pki/masterssl.key + name: /etc/pki/managerssl.key bits: 4096 backup: True +msslkeyperms: + file.managed: + - replace: False + - name: /etc/pki/managerssl.key + - mode: 640 + - group: 939 # Create a private key and cert for Fleet /etc/pki/fleet.key: @@ -234,4 +283,11 @@ chownfilebeatp8: bits: 4096 backup: True -{% endif %} +fleetkeyperms: + file.managed: + - replace: False + - name: /etc/pki/fleet.key + - mode: 640 + - group: 939 + +{% endif %} \ No newline at end of file diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml index 76a2ae3af..b25e5630d 100644 --- a/salt/strelka/files/backend/backend.yaml +++ b/salt/strelka/files/backend/backend.yaml @@ -2,7 +2,7 @@ {%- set mainint = salt['pillar.get']('sensor:mainint') %} {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} - {%- set ip = salt['pillar.get']('static:masterip') %} + {%- set ip = salt['pillar.get']('static:managerip') %} {%- endif -%} logging_cfg: '/etc/strelka/logging.yaml' limits: diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml index c45fd8644..539e4314c 100644 --- a/salt/strelka/files/filestream/filestream.yaml +++ b/salt/strelka/files/filestream/filestream.yaml @@ -2,7 +2,7 @@ {%- set mainint = salt['pillar.get']('sensor:mainint') %} {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} - {%- set ip = salt['pillar.get']('static:masterip') %} + {%- set ip = salt['pillar.get']('static:managerip') %} {%- endif -%} conn: server: '{{ ip }}:57314' diff --git a/salt/strelka/files/frontend/frontend.yaml b/salt/strelka/files/frontend/frontend.yaml index 56df323f9..5d72f1e0d 100644 --- a/salt/strelka/files/frontend/frontend.yaml +++ b/salt/strelka/files/frontend/frontend.yaml @@ -2,7 +2,7 @@ {%- set mainint = salt['pillar.get']('sensor:mainint') %} {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} - {%- set ip = salt['pillar.get']('static:masterip') %} + {%- set ip = salt['pillar.get']('static:managerip') %} {%- endif -%} server: ":57314" coordinator: diff --git a/salt/strelka/files/manager/manager.yaml b/salt/strelka/files/manager/manager.yaml index 8a5966ac9..db9dd7f91 100644 --- a/salt/strelka/files/manager/manager.yaml +++ b/salt/strelka/files/manager/manager.yaml @@ -2,7 +2,7 @@ {%- set mainint = salt['pillar.get']('sensor:mainint') %} {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint[0], salt['pillar.get']('sensor:mainip')) %} {%- else %} - {%- set ip = salt['pillar.get']('static:masterip') %} + {%- set ip = salt['pillar.get']('static:managerip') %} {%- endif -%} coordinator: addr: '{{ ip }}:6380' diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 5767531f4..c6a900e8e 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -12,9 +12,11 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{%- set MASTER = grains['master'] %} -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGER = salt['grains.get']('master') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%} # Strelka config strelkaconfdir: @@ -24,6 +26,13 @@ strelkaconfdir: - group: 939 - makedirs: True +strelkarulesdir: + file.directory: + - name: /opt/so/conf/strelka/rules + - user: 939 + - group: 939 + - makedirs: True + # Sync dynamic config to conf dir strelkasync: file.recurse: @@ -33,6 +42,21 @@ strelkasync: - group: 939 - template: jinja +{%- if STRELKA_RULES == 1 %} +strelka_yara_update: + cron.present: + - user: root + - name: '[ -d /opt/so/saltstack/default/salt/strelka/rules/ ] && /usr/sbin/so-yara-update > /dev/null 2>&1' + - hour: '7' + +strelkarules: + file.recurse: + - name: /opt/so/conf/strelka/rules + - source: salt://strelka/rules + - user: 939 + - group: 939 +{%- endif %} + strelkadatadir: file.directory: - name: /nsm/strelka @@ -56,7 +80,7 @@ strelkastagedir: strelka_coordinator: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-redis:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} - name: so-strelka-coordinator - entrypoint: redis-server --save "" --appendonly no - port_bindings: @@ -64,7 +88,7 @@ strelka_coordinator: strelka_gatekeeper: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-redis:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} - name: so-strelka-gatekeeper - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: @@ -72,7 +96,7 @@ strelka_gatekeeper: strelka_frontend: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-frontend:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-frontend:{{ VERSION }} - binds: - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /nsm/strelka/log/:/var/log/strelka/:rw @@ -84,17 +108,17 @@ strelka_frontend: strelka_backend: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-backend:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-backend:{{ VERSION }} - binds: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro + - /opt/so/conf/strelka/rules/:/etc/yara/:ro - name: so-strelka-backend - command: strelka-backend - restart_policy: on-failure strelka_manager: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-manager:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-manager:{{ VERSION }} - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager @@ -102,7 +126,7 @@ strelka_manager: strelka_filestream: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-filestream:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-filestream:{{ VERSION }} - binds: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka diff --git a/salt/strelka/rules/ignore.txt b/salt/strelka/rules/ignore.txt new file mode 100644 index 000000000..a803f8c28 --- /dev/null +++ b/salt/strelka/rules/ignore.txt @@ -0,0 +1,4 @@ +generic_anomalies.yar +general_cloaking.yar +thor_inverse_matches.yar +yara_mixed_ext_vars.yar diff --git a/salt/strelka/rules/repos.txt b/salt/strelka/rules/repos.txt new file mode 100644 index 000000000..e26687ea9 --- /dev/null +++ b/salt/strelka/rules/repos.txt @@ -0,0 +1 @@ +https://github.com/Neo23x0/signature-base diff --git a/salt/suricata/afpacket.map.jinja b/salt/suricata/afpacket.map.jinja new file mode 100644 index 000000000..cd700765a --- /dev/null +++ b/salt/suricata/afpacket.map.jinja @@ -0,0 +1,14 @@ +{% load_yaml as afpacket %} +af-packet: + - interface: {{ salt['pillar.get']('sensor:interface', 'bond0') }} + cluster-id: 59 + cluster-type: cluster_flow + defrag: yes + use-mmap: yes + tpacket-v3: yes + ring-size: {{ salt['pillar.get']('sensor:suriringsize', '2048') }} + - interface: default + #threads: auto + #use-mmap: no + #tpacket-v3: yes +{% endload %} \ No newline at end of file diff --git a/salt/suricata/cron/surilogcompress b/salt/suricata/cron/surilogcompress new file mode 100644 index 000000000..b77c4d635 --- /dev/null +++ b/salt/suricata/cron/surilogcompress @@ -0,0 +1,6 @@ +#!/bin/bash + +# Gzip the eve logs +find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g | head -n -1 | cut -d $'\t' -f 2- | xargs nice gzip + +# TODO Add stats log \ No newline at end of file diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml new file mode 100644 index 000000000..3945573a2 --- /dev/null +++ b/salt/suricata/defaults.yaml @@ -0,0 +1,594 @@ +suricata: + config: + vars: + address-groups: + HOME_NET: "[192.168.0.0/16]" + EXTERNAL_NET: "!$HOME_NET" + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + default-log-dir: /var/log/suricata/ + stats: + enabled: "yes" + interval: 30 + #decoder-events: true + #decoder-events-prefix: "decoder.event" + #stream-events: false + outputs: + - fast: + enabled: "no" + filename: fast.log + append: "yes" + - eve-log: + enabled: "yes" + filetype: regular + filename: /nsm/eve-%Y-%m-%d-%H:%M.json + rotate-interval: hour + #prefix: "@cee: " + #identity: "suricata" + #facility: local5 + #level: Info + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true + # mode: list + # key: suricata + # pipelining: + # enabled: "yes" + # batch-size: 10 + #metadata: "no" + pcap-file: false + community-id: true + community-id-seed: 0 + xff: + enabled: "no" + mode: extra-data + deployment: reverse + header: X-Forwarded-For + types: + - alert: + payload: "no" + payload-buffer-size: 4kb + payload-printable: "yes" + packet: "yes" + metadata: + app-layer: false + flow: false + rule: + metadata: true + raw: true + # http-body: "yes" + # http-body-printable: "yes" + tagged-packets: "no" + - unified2-alert: + enabled: "no" + - http-log: + enabled: "no" + filename: http.log + append: "yes" + #extended: "yes" + #custom: "yes" + #customformat: "" + #filetype: regular + - tls-log: + enabled: "no" + filename: tls.log + append: "yes" + #extended: "yes" + #custom: "yes" + #customformat: "" + #filetype: regular + #session-resumption: "no" + - tls-store: + enabled: "no" + #certs-log-dir: certs + - pcap-log: + enabled: "no" + filename: log.pcap + limit: 1000mb + max-files: 2000 + compression: none + #lz4-checksum: "no" + #lz4-level: 0 + + mode: normal + #dir: /nsm_data/ + #ts-format: usec + use-stream-depth: "no" + honor-pass-rules: "no" + - alert-debug: + enabled: "no" + filename: alert-debug.log + append: "yes" + #filetype: regular + - alert-prelude: + enabled: "no" + profile: suricata + log-packet-content: "no" + log-packet-header: "yes" + - stats: + enabled: "yes" + filename: stats.log + append: "yes" + totals: "yes" + threads: "no" + null-values: "yes" + - syslog: + enabled: "no" + #identity: "suricata" + facility: local5 + #level: Info + - drop: + enabled: "no" + - file-store: + version: 2 + enabled: "no" + #dir: filestore + #write-fileinfo: "yes" + #force-filestore: "yes" + #stream-depth: 0 + #max-open-files: 1000 + #force-hash: [sha1, md5] + xff: + enabled: "no" + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - file-store: + enabled: "no" + - tcp-data: + enabled: "no" + type: file + filename: tcp-data.log + - http-body-data: + enabled: "no" + type: file + filename: http-data.log + - lua: + enabled: "no" + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + logging: + default-log-level: notice + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + default-output-filter: + outputs: + - console: + enabled: "yes" + # type: json + - file: + enabled: "yes" + level: info + filename: suricata.log + # type: json + - syslog: + enabled: "no" + facility: local5 + format: "[%i] <%d> -- " + # type: json + pcap: + - interface: eth0 + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + #checksum-checks: auto + #threads: 16 + #promisc: "no" + #snaplen: 1518 + - interface: default + #checksum-checks: auto + pcap-file: + checksum-checks: auto + app-layer: + protocols: + krb5: + enabled: "yes" + snmp: + enabled: "yes" + ikev2: + enabled: "yes" + tls: + enabled: "yes" + detection-ports: + dp: 443 + #ja3-fingerprints: auto + #encryption-handling: default + dcerpc: + enabled: "yes" + ftp: + enabled: "yes" + # memcap: 64mb + rdp: + #enabled: "no" + ssh: + enabled: "yes" + smtp: + enabled: "yes" + raw-extraction: "no" + mime: + decode-mime: "yes" + decode-base64: "yes" + decode-quoted-printable: "yes" + header-value-depth: 2000 + extract-urls: "yes" + body-md5: "no" + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + smb: + enabled: "yes" + detection-ports: + dp: 139, 445 + #stream-depth: 0 + + nfs: + enabled: "yes" + tftp: + enabled: "yes" + dns: + #global-memcap: 16mb + #state-memcap: 512kb + #request-flood: 500 + tcp: + enabled: "yes" + detection-ports: + dp: 53 + udp: + enabled: "yes" + detection-ports: + dp: 53 + http: + enabled: "yes" + # memcap: + # default-config: + # personality: + # request-body-limit: + # response-body-limit: + # server-config: + # address: + # personalitiy: + libhtp: + default-config: + personality: IDS + request-body-limit: 100kb + response-body-limit: 100kb + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + response-body-decompress-layer-limit: 2 + http-body-inline: auto + # compress-depth: + # decompress-depth: + swf-decompression: + enabled: "yes" + type: both + compress-depth: 0 + decompress-depth: 0 + #randomize-inspection-sizes: "yes" + #randomize-inspection-range: 10 + double-decode-path: "no" + double-decode-query: "no" + #lzma-enabled: "yes" + #lzma-memlimit: 1mb + #compression-bomb-limit: 1mb + server-config: + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: "no" + # double-decode-query: "no" + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: "no" + # double-decode-query: "no" + modbus: + #request-flood: 500 + enabled: "no" + detection-ports: + dp: 502 + stream-depth: 0 + dnp3: + enabled: "no" + detection-ports: + dp: 20000 + enip: + enabled: "no" + detection-ports: + dp: 44818 + sp: 44818 + ntp: + enabled: "yes" + dhcp: + enabled: "yes" + sip: + #enabled: "no" + asn1-max-frames: 256 + run-as: + user: suricata + group: suricata + #sensor-name: suricata + #pid-file: /var/run/suricata.pid + #daemon-directory: "/" + #umask: 022 + coredump: + max-dump: unlimited + host-mode: auto + max-pending-packets: 1024 + runmode: workers + #autofp-scheduler: hash + default-packet-size: 1500 + unix-command: + enabled: auto + #filename: custom.socket + #magic-file: /usr/share/file/magic + #magic-file: + #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb + legacy: + uricontent: enabled + #reputation-categories-file: /etc/suricata/iprep/categories.txt + #default-reputation-path: /etc/suricata/iprep + #reputation-files: + # - reputation.list + engine-analysis: + rules-fast-pattern: "yes" + rules: "yes" + pcre: + match-limit: 3500 + match-limit-recursion: 1500 + host-os-policy: + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 + max-frags: 65535 + prealloc: "yes" + timeout: 60 + flow: + memcap: 128mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 + #recyclers: 1 + vlan: + use-for-tracking: true + flow-timeouts: + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + stream: + memcap: 64mb + checksum-validation: "yes" + inline: auto + reassembly: + memcap: 256mb + depth: 1mb + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: "yes" + #randomize-chunk-range: 10 + #raw: "yes" + #segment-prealloc: 2048 + #check-overlap-different-data: true + host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + #ippair: + # hash-size: 4096 + # prealloc: 1000 + # memcap: 32mb + decoder: + teredo: + enabled: true + ports: $TEREDO_PORTS + vxlan: + enabled: true + ports: $VXLAN_PORTS + erspan: + typeI: + enabled: false + detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + #delayed-detect: "yes" + prefilter: + default: mpm + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false + include-mpm-stats: false + mpm-algo: auto + spm-algo: auto + threading: + set-cpu-affinity: "yes" + detect-thread-ratio: 1.0 + luajit: + states: 128 + + profiling: + #sample-rate: 1000 + rules: + enabled: "yes" + filename: rule_perf.log + append: "yes" + #sort: avgticks + limit: 10 + json: "yes" + keywords: + enabled: "yes" + filename: keyword_perf.log + append: "yes" + + prefilter: + enabled: "yes" + filename: prefilter_perf.log + append: "yes" + rulegroups: + enabled: "yes" + filename: rule_group_perf.log + append: "yes" + packets: + enabled: "yes" + filename: packet_stats.log + append: "yes" + csv: + enabled: "no" + filename: packet_stats.csv + locks: + enabled: "no" + filename: lock_stats.log + append: "yes" + + pcap-log: + enabled: "no" + filename: pcaplog_stats.log + append: "yes" + nfq: + # mode: accept + # repeat-mark: 1 + # repeat-mask: 1 + # bypass-mark: 1 + # bypass-mask: 1 + # route-queue: 2 + # batchcount: 20 + # fail-open: "yes" + nflog: + - group: 2 + buffer-size: 18432 + - group: default + qthreshold: 1 + qtimeout: 100 + max-size: 20000 + capture: + #checksum-validation: none + netmap: + - interface: eth2 + #threads: auto + #copy-mode: tap + #copy-iface: eth3 + # disable-promisc: "no" + #checksum-checks: auto + #bpf-filter: port 80 or udp + #- interface: eth3 + #threads: auto + #copy-mode: tap + #copy-iface: eth2 + - interface: default + pfring: + - interface: eth0 + threads: auto + cluster-id: 99 + cluster-type: cluster_flow + #bpf-filter: tcp + #bypass: "yes" + #checksum-checks: auto + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + - interface: default + #threads: 2 + ipfw: + # ipfw-reinjection-rule-number: 5500 + napatech: + #hba: -1 + #use-all-streams: "no" + streams: ["0-3"] + auto-config: "yes" + ports: [all] + hashmode: hash5tuplesorted + default-rule-path: /etc/suricata/rules + rule-files: + - all.rules + classification-file: /etc/suricata/classification.config + reference-config-file: /etc/suricata/reference.config + # threshold-file: /etc/suricata/threshold.config + #include: include1.yaml + #include: include2.yaml + \ No newline at end of file diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml deleted file mode 100644 index 28e5b4bcf..000000000 --- a/salt/suricata/files/suricata.yaml +++ /dev/null @@ -1,1883 +0,0 @@ -%YAML 1.1 ---- - {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - {%- if grains['role'] == 'so-eval' %} - {%- set MTU = 1500 %} - {%- elif grains['role'] == 'so-helix' %} - {%- set MTU = 9000 %} - {%- else %} - {%- set MTU = salt['pillar.get']('sensor:mtu', '1500') %} - {%- endif %} - {%- if salt['pillar.get']('sensor:homenet') %} - {%- set homenet = salt['pillar.get']('sensor:hnsensor', '') %} - {%- else %} - {%- set homenet = salt['pillar.get']('static:hnmaster', '') %} - {%- endif %} -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html - -## -## Step 1: inform Suricata about your network -## - -vars: - # more specific is better for alert accuracy and performance - address-groups: - HOME_NET: "[{{ homenet }}]" - #HOME_NET: "[192.168.0.0/16]" - #HOME_NET: "[10.0.0.0/8]" - #HOME_NET: "[172.16.0.0/12]" - #HOME_NET: "any" - - EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" - - HTTP_SERVERS: "$HOME_NET" - SMTP_SERVERS: "$HOME_NET" - SQL_SERVERS: "$HOME_NET" - DNS_SERVERS: "$HOME_NET" - TELNET_SERVERS: "$HOME_NET" - AIM_SERVERS: "$EXTERNAL_NET" - DC_SERVERS: "$HOME_NET" - DNP3_SERVER: "$HOME_NET" - DNP3_CLIENT: "$HOME_NET" - MODBUS_CLIENT: "$HOME_NET" - MODBUS_SERVER: "$HOME_NET" - ENIP_CLIENT: "$HOME_NET" - ENIP_SERVER: "$HOME_NET" - - port-groups: - HTTP_PORTS: "80" - SHELLCODE_PORTS: "!80" - ORACLE_PORTS: 1521 - SSH_PORTS: 22 - DNP3_PORTS: 20000 - MODBUS_PORTS: 502 - FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: 21 - VXLAN_PORTS: 4789 - TEREDO_PORTS: 3544 - -## -## Step 2: select outputs to enable -## - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# global stats configuration -stats: - enabled: yes - # The interval field (in seconds) controls at what interval - # the loggers are invoked. - interval: 30 - # Add decode events as stats. - #decoder-events: true - # Decoder event prefix in stats. Has been 'decoder' before, but that leads - # to missing events in the eve.stats records. See issue #2225. - #decoder-events-prefix: "decoder.event" - # Add stream events as stats. - #stream-events: false - -# Configure the type of alert (and other) logging you would like. -outputs: - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: no - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: /nsm/eve-%Y-%m-%d-%H:%M.json - rotate-interval: hour - - #prefix: "@cee: " # prefix to prepend to each log entry - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish - # ## lpush and rpush are using a Redis list. "list" is an alias for lpush - # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) - # Redis pipelining set up. This will enable to only do a query every - # 'batch-size' events. This should lower the latency induced by network - # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. - # pipelining: - # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer - - # Include top level metadata. Default yes. - #metadata: no - - # include the name of the input pcap file in pcap file processing mode - pcap-file: false - - # Community Flow ID - # Adds a 'community_id' field to EVE records. These are meant to give - # a records a predictable flow id that can be used to match records to - # output of other tools such as Bro. - # - # Takes a 'seed' that needs to be same across sensors and tools - # to make the id less predictable. - - # enable/disable the community id feature. - community-id: true - # Seed value for the ID output. Valid values are 0-65535. - community-id-seed: 0 - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - types: - - alert: - payload: no # enable dumping payload in Base64 - payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - payload-printable: yes # enable dumping payload in printable (lossy) format - packet: yes # enable dumping of packet (without stream segments) - metadata: - app-layer: false - flow: false - rule: - metadata: true - raw: true - - # http-body: yes # Requires metadata; enable dumping of http body in Base64 - # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format - - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: no - #- anomaly: - # Anomaly log records describe unexpected conditions such - # as truncated packets, packets with invalid IP/UDP/TCP - # length values, and other events that render the packet - # invalid for further processing or describe unexpected - # behavior on an established stream. Networks which - # experience high occurrences of anomalies may experience - # packet processing degradation. - # - # Anomalies are reported for the following: - # 1. Decode: Values and conditions that are detected while - # decoding individual packets. This includes invalid or - # unexpected values for low-level protocol lengths as well - # as stream related events (TCP 3-way handshake issues, - # unexpected sequence number, etc). - # 2. Stream: This includes stream related events (TCP - # 3-way handshake issues, unexpected sequence number, - # etc). - # 3. Application layer: These denote application layer - # specific conditions that are unexpected, invalid or are - # unexpected given the application monitoring state. - # - # By default, anomaly logging is disabled. When anomaly - # logging is enabled, applayer anomaly reporting is - # enabled. - # enabled: no - # - # Choose one or more types of anomaly logging and whether to enable - # logging of the packet header for packet anomalies. - # types: - # decode: no - # stream: no - # applayer: yes - #packethdr: no - #- http: - # extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response - # dump-all-headers: none - #- dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - #version: 2 - - # Enable/disable this logger. Default: enabled. - #enabled: yes - - # Control logging of requests and responses: - # - requests: enable logging of DNS queries - # - responses: enable logging of DNS answers - # By default both requests and responses are logged. - #requests: no - #responses: no - - # Format of answer logging: - # - detailed: array item per answer - # - grouped: answers aggregated by type - # Default: all - #formats: [detailed, grouped] - - # Types to log, based on the query type. - # Default: all. - #types: [a, aaaa, cname, mx, ns, ptr, txt] - #- tls: - # extended: yes # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - #- files: - # force-magic: no # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: yes # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. - #- smtp: - #extended: yes # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] - - #- dnp3 - #- ftp - #- rdp - #- nfs - #- smb - #- tftp - #- ikev2 - #- krb5 - #- snmp - #- sip - #- dhcp: - # enabled: yes - # When extended mode is on, all DHCP messages are logged - # with full detail. When extended mode is off (the - # default), just enough information to map a MAC address - # to an IP address is logged. - # extended: no - #- ssh - #- stats: - # totals: yes # stats for all threads merged together - # threads: no # per thread stats - # deltas: no # include delta values - # bi-directional flows - #- flow - # uni-directional flows - #- netflow - - # Metadata event type. Triggered whenever a pktvar is saved - # and will include the pktvars, flowvars, flowbits and - # flowints. - #- metadata - - # deprecated - unified2 alert format for use with Barnyard2 - - unified2-alert: - enabled: no - # for further options see: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: no - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #extended: yes # Log extended information like fingerprint - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - - # output module to store certificates chain to disk - - tls-store: - enabled: no - #certs-log-dir: certs # directory to store the certificates files - - # Packet log... log packets in pcap format. 3 modes of operation: "normal" - # "multi" and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". - # In multi mode, a file is created per thread. This will perform much - # better, but will create multiple files where 'normal' would create one. - # In multi mode the filename takes a few special variables: - # - %n -- thread number - # - %i -- thread id - # - %t -- timestamp (secs or secs.usecs based on 'ts-format' - # E.g. filename: pcap.%n.%t - # - # Note that it's possible to use directories, but the directories are not - # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the - # per thread directory. - # - # Also note that the limit and max-files settings are enforced per thread. - # So the size limit when using 8 threads with 1000mb files and 2000 files - # is: 8*1000*2000 ~ 16TiB. - # - # In Sguil mode "dir" indicates the base directory. In this base dir the - # pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename. - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - # Compression algorithm for pcap files. Possible values: none, lz4. - # Enabling compression is incompatible with the sguil mode. Note also - # that on Windows, enabling compression will *increase* disk I/O. - compression: none - - # Further options for lz4 compression. The compression level can be set - # to a value between 0 and 16, where higher values result in higher - # compression. - #lz4-checksum: no - #lz4-level: 0 - - mode: normal # normal, multi or sguil. - - # Directory to place pcap files. If not provided the default log - # directory will be used. Required for "sguil" mode. - #dir: /nsm_data/ - - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (https://www.prelude-siem.org/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the Suricata engine. - - stats: - enabled: yes - filename: stats.log - append: yes # append to file (yes) or overwrite it (no) - totals: yes # stats for all threads merged together - threads: no # per thread stats - null-values: yes # print counters that have value 0 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # deprecated a line based information for dropped packets in IPS mode - - drop: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets - - # Output module for storing files on disk. Files are stored in a - # directory names consisting of the first 2 characters of the - # SHA256 of the file. Each file is given its SHA256 as a filename. - # - # When a duplicate file is found, the existing file is touched to - # have its timestamps updated. - # - # Unlike the older filestore, metadata is not written out by default - # as each file should already have a "fileinfo" record in the - # eve.log. If write-fileinfo is set to yes, the each file will have - # one more associated .json files that consists of the fileinfo - # record. A fileinfo file will be written for each occurrence of the - # file seen using a filename suffix to ensure uniqueness. - # - # To prune the filestore directory see the "suricatactl filestore - # prune" command which can delete files over a certain age. - - file-store: - version: 2 - enabled: no - - # Set the directory for the filestore. If the path is not - # absolute will be be relative to the default-log-dir. - #dir: filestore - - # Write out a fileinfo record for each occurrence of a - # file. Disabled by default as each occurrence is already logged - # as a fileinfo record to the main eve-log. - #write-fileinfo: yes - - # Force storing of all files. Default: no. - #force-filestore: yes - - # Override the global stream-depth for sessions in which we want - # to perform file extraction. Set to 0 for unlimited. - #stream-depth: 0 - - # Uncomment the following variable to define how many files can - # remain open for filestore by Suricata. Default value is 0 which - # means files get closed after each write - #max-open-files: 1000 - - # Force logging of checksums, available hash functions are md5, - # sha1 and sha256. Note that SHA256 is automatically forced by - # the use of this output module as it uses the SHA256 as the - # file naming scheme. - #force-hash: [sha1, md5] - # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - # deprecated - file-store v1 - - file-store: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 - - # Log TCP data after stream normalization - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per TCP session and stores the raw TCP data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by stream.reassembly.depth - - tcp-data: - enabled: no - type: file - filename: tcp-data.log - - # Log HTTP body data after normalization, dechunking and unzipping. - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per HTTP session and stores the normalized data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by the body limit settings - - http-body-data: - enabled: no - type: file - filename: http-data.log - - # Lua Output Support - execute lua script to generate alert and event - # output. - # Documented at: - # https://suricata.readthedocs.io/en/latest/output/lua-output.html - - lua: - enabled: no - #scripts-dir: /etc/suricata/lua-output/ - scripts: - # - script1.lua - -# Logging configuration. This is not about logging IDS alerts/events, but -# output about what Suricata is doing, like startup messages, errors, etc. -logging: - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overridden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overridden in an - # output section. You can leave this out to get the default. - # - # This value is overridden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overridden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - # type: json - - file: - enabled: yes - level: info - filename: suricata.log - # type: json - - syslog: - enabled: no - facility: local5 - format: "[%i] <%d> -- " - # type: json - - -## -## Step 4: configure common capture settings -## -## See "Advanced Capture Options" below for more options, including NETMAP -## and PF_RING. -## - -# Linux high speed capture support -af-packet: - - interface: {{ interface }} - # Number of receive threads. "auto" uses the number of cores - #threads: auto - # Default clusterid. AF_PACKET will load balance packets based on flow. - cluster-id: 59 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same - # socket. Requires at least Linux 3.14. - # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for - # more info. - # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system - # with capture card using RSS (require cpu affinity tuning and system irq tuning) - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock - # your system - #mmap-locked: yes - # Use tpacket_v3 capture mode, only active if use-mmap is true - # Don't use it in IPS or TAP mode as it causes severe latency - #tpacket-v3: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independently of the number - # of threads: - #ring-size: 2048 - # Block size is used by tpacket_v3 only. It should set to a value high enough to contain - # a decent number of packets. Size is in bytes so please consider your MTU. It should be - # a power of 2 and it must be multiple of page size (usually 4096). - #block-size: 32768 - # tpacket_v3 block timeout: an open block is passed to userspace if it is not - # filled after block-timeout milliseconds. - #block-timeout: 10 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - # For eBPF and XDP setup including bypass, filter and load balancing, please - # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. - - # Put default values here. These will be used for an interface that is not - # in the list above. - - interface: default - #threads: auto - #use-mmap: no - #tpacket-v3: yes - -# Cross platform libpcap capture support -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -# Settings for reading pcap files -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# See "Advanced Capture Options" below for more options, including NETMAP -# and PF_RING. - - -## -## Step 5: App Layer Protocol Configuration -## - -# Configure the app-layer parsers. The protocols section details each -# protocol. -# -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables protocol detection only (parser disabled). -app-layer: - protocols: - krb5: - enabled: yes - snmp: - enabled: yes - ikev2: - enabled: yes - tls: - enabled: yes - detection-ports: - dp: 443 - - # Generate JA3 fingerprint from client hello. If not specified it - # will be disabled by default, but enabled if rules require it. - #ja3-fingerprints: auto - - # What to do when the encrypted communications start: - # - default: keep tracking TLS session, check for protocol anomalies, - # inspect tls_* keywords. Disables inspection of unmodified - # 'content' signatures. - # - bypass: stop processing this flow as much as possible. No further - # TLS parsing and inspection. Offload flow bypass to kernel - # or hardware if possible. - # - full: keep tracking and inspection as normal. Unmodified content - # keyword signatures are inspected as well. - # - # For best performance, select 'bypass'. - # - #encryption-handling: default - - dcerpc: - enabled: yes - ftp: - enabled: yes - # memcap: 64mb - # RDP, disabled by default. - rdp: - #enabled: no - ssh: - enabled: yes - smtp: - enabled: yes - raw-extraction: no - # Configure SMTP-MIME Decoder - mime: - # Decode MIME messages from SMTP transactions - # (may be resource intensive) - # This field supercedes all others because it turns the entire - # process on or off - decode-mime: yes - - # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) - decode-base64: yes - decode-quoted-printable: yes - - # Maximum bytes per header data value stored in the data structure - # (default is 2000) - header-value-depth: 2000 - - # Extract URLs and save in state data structure - extract-urls: yes - # Set to yes to compute the md5 of the mail body. You will then - # be able to journalize it. - body-md5: no - # Configure inspected-tracker for file_data keyword - inspected-tracker: - content-limit: 100000 - content-inspect-min-size: 32768 - content-inspect-window: 4096 - imap: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139, 445 - - # Stream reassembly size for SMB streams. By default track it completely. - #stream-depth: 0 - - nfs: - enabled: yes - tftp: - enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: Maximum memory capacity for http - # Default is unlimited, value can be such as 64mb - - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # - # For advanced options, see the user guide - - - # server-config: List of server configurations to use if address matches - # address: List of IP addresses or networks for this block - # personalitiy: List of personalities used by this block - # - # Then, all the fields from default-config can be overloaded - # - # Currently Available Personalities: - # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, - # IIS_7_0, IIS_7_5, Apache_2 - libhtp: - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb - - # response body decompression (0 disables) - response-body-decompress-layer-limit: 2 - - # auto will use http-body-inline mode in IPS mode, yes or no set it statically - http-body-inline: auto - - # Decompress SWF files. - # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma - # compress-depth: - # Specifies the maximum amount of data to decompress, - # set 0 for unlimited. - # decompress-depth: - # Specifies the maximum amount of decompressed data to obtain, - # set 0 for unlimited. - swf-decompression: - enabled: yes - type: both - compress-depth: 0 - decompress-depth: 0 - - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - # Can disable LZMA decompression - #lzma-enabled: yes - # Memory limit usage for LZMA decompression dictionary - # Data is decompressed until dictionary reaches this size - #lzma-memlimit: 1mb - # Maximum decompressed size with a compression ratio - # above 2048 (only LZMA can reach this ratio, deflate cannot) - #compression-bomb-limit: 1mb - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818 - - ntp: - enabled: yes - - dhcp: - enabled: yes - - # SIP, disabled by default. - sip: - #enabled: no - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - - -############################################################################## -## -## Advanced settings below -## -############################################################################## - -## -## Run Options -## - -# Run suricata as user and group. -run-as: - user: suricata - group: suricata - -# Some logging module will use that name in event as identifier. The default -# value is the hostname -#sensor-name: suricata - -# Default location of the pid file. The pid file is only used in -# daemon mode (start Suricata with -D). If not running in daemon mode -# the --pidfile command line option must be used to create a pid file. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Umask. -# Suricata will use this umask if it is provided. By default it will use the -# umask passed on by the shell. -#umask: 022 - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -# If Suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Number of packets preallocated per thread. The default is 1024. A higher number -# will make sure each CPU will be more easily kept busy, but may negatively -# impact caching. -max-pending-packets: 5000 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Default depends on selected capture -# method. 'workers' generally gives best performance. -runmode: workers - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# hash - Flow assigned to threads using the 5-7 tuple hash. -# ippair - Flow assigned to threads using addresses only. -# -#autofp-scheduler: hash - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -default-packet-size: {{ MTU + 15 }} - -# Unix command socket can be used to pass commands to Suricata. -# An external tool can then connect to get information from Suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. In auto mode, the feature will only be -# activated in live capture mode. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: auto - #filename: custom.socket - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -#magic-file: - -# GeoIP2 database file. Specify path and filename of GeoIP2 database -# if using rules with "geoip" rule option. -#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb - -legacy: - uricontent: enabled - -## -## Detection settings -## - -# Set the order of alerts based on actions -# The default order is pass, drop, reject, alert -# action-order: -# - pass -# - drop -# - reject -# - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -## -## Advanced Traffic Tracking and Reconstruction Settings -## - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [] - old-solaris: [] - solaris: [] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# pruning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doesn't find a flow to prune, it will set -# the emergency bit and it will try again with more aggressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 128mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - #managers: 1 # default to one flow manager - #recyclers: 1 # default to one flow recycler thread - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a handshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). "bypassed" -# timeout controls locally bypassed flows. For these flows we don't do any other -# tracking. If no packets have been seen after this timeout, the flow is discarded. -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - emergency-bypassed: 50 - tcp: - new: 60 - established: 600 - closed: 60 - bypassed: 100 - emergency-new: 5 - emergency-established: 100 - emergency-closed: 10 - emergency-bypassed: 50 - udp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - icmp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated traffic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# bypass: no # Bypass packets when stream.reassembly.depth is reached. -# # Warning: first side to reach this triggers -# # the bypass. -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size -# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same -# # calculation for toclient-chunk-size. -# # Default value of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# segment-prealloc: 2048 # number of segments preallocated per thread -# -# check-overlap-different-data: true|false -# # check if a segment contains different data -# # than what we've already seen for that -# # position in the stream. -# # This is enabled automatically if inline mode -# # is used or when stream-event:reassembly_overlap_different_data; -# # is used in a rule. -# -stream: - memcap: 64mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 256mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #segment-prealloc: 2048 - #check-overlap-different-data: true - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 32mb - -# IP Pair table: -# -# Used by xbits 'ippair' tracking. -# -#ippair: -# hash-size: 4096 -# prealloc: 1000 -# memcap: 32mb - -# Decoder settings - -decoder: - # Teredo decoder is known to not be completely accurate - # as it will sometimes detect non-teredo as teredo. - teredo: - enabled: true - # ports to look for Teredo. Max 4 ports. If no ports are given, or - # the value is set to 'any', Teredo detection runs on _all_ UDP packets. - ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. - - # VXLAN decoder is assigned to up to 4 UDP ports. By default only the - # IANA assigned port 4789 is enabled. - vxlan: - enabled: true - ports: $VXLAN_PORTS # syntax: '8472, 4789' - # ERSPAN Type I decode support - erspan: - typeI: - enabled: false - - -## -## Performance tuning and profiling -## - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect: - profile: medium - custom-values: - toclient-groups: 3 - toserver-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #delayed-detect: yes - - prefilter: - # default prefiltering setting. "mpm" only creates MPM/fast_pattern - # engines. "auto" also sets up prefilter engines for other keywords. - # Use --list-keywords=all to see which keywords support prefiltering. - default: mpm - - # the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get it's own group. - # Very common ports will benefit, as well as ports with many expensive - # rules. - grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 - - profiling: - # Log the rules that made it past the prefilter stage, per packet - # default is off. The threshold setting determines how many rules - # must have made it past pre-filter for that rule to trigger the - # logging. - #inspect-logging-threshold: 200 - grouping: - dump-to-disk: false - include-rules: false # very verbose - include-mpm-stats: false - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. -# -# The supported algorithms are: -# "ac" - Aho-Corasick, default implementation -# "ac-bs" - Aho-Corasick, reduced memory implementation -# "ac-ks" - Aho-Corasick, "Ken Steele" variant -# "hs" - Hyperscan, available when built with Hyperscan support -# -# The default mpm-algo value of "auto" will use "hs" if Hyperscan is -# available, "ac" otherwise. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. - -mpm-algo: auto - -# Select the matching algorithm you want to use for single-pattern searches. -# -# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only -# available if Suricata has been built with Hyperscan support). -# -# The default of "auto" will use "hs" if available, otherwise "bm". - -spm-algo: auto - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - set-cpu-affinity: yes - # Tune cpu affinity of threads. Each family of threads can be bound - # on specific CPUs. - # - # These 2 apply to the all runmodes: - # management-cpu-set is used for flow timeout handling, counters - # worker-cpu-set is used for 'worker' threads - # - # Additionally, for autofp these apply: - # receive-cpu-set is used for capture threads - # verdict-cpu-set is used for IPS verdict threads - # - {%- if salt['pillar.get']('sensor:suriprocs') %} - cpu-affinity: - - management-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - receive-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - worker-cpu-set: - cpu: [ "all" ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - threads: {{ salt['pillar.get']('sensor:suriprocs') }} - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "high" - #- verdict-cpu-set: - # cpu: [ 0 ] - # prio: - # default: "high" - {%- endif -%} - {%- if salt['pillar.get']('sensor:suripins') %} - cpu-affinity: - - management-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - worker-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - threads: {{ salt['pillar.get']('sensor:suripins')|length }} - prio: - default: "high" - {% endif %} - - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.0 - -# Luajit has a strange memory requirement, it's 'states' need to be in the -# first 2G of the process' memory. -# -# 'luajit.states' is used to control how many states are preallocated. -# State use: per detect script: 1 per detect thread. Per output script: 1 per -# script. -luajit: - states: 128 - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - # If commented out all the sort options will be used. - #sort: avgticks - - # Limit the number of sids for which stats are shown at exit (per sort). - limit: 10 - - # output to json - json: yes - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - prefilter: - enabled: yes - filename: prefilter_perf.log - append: yes - - # per rulegroup profiling - rulegroups: - enabled: yes - filename: rule_group_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - - pcap-log: - enabled: no - filename: pcaplog_stats.log - append: yes - -## -## Netfilter integration -## - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to Suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if Suricata is not able to keep pace. -# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is -# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask -# on packet of a flow that need to be bypassed. The Nefilter ruleset has to -# directly accept all packets of a flow once a packet has been marked. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# bypass-mark: 1 -# bypass-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -## -## Advanced Capture Options -## - -# general settings affecting packet capture -capture: - # disable NIC offloading. It's restored when Suricata exits. - # Enabled by default. - #disable-offloading: false - # - # disable checksum validation. Same as setting '-k none' on the - # commandline. - #checksum-validation: none - -# Netmap support -# -# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have -# built-in netmap support or compile and install netmap module and appropriate -# NIC driver on your Linux system. -# To reach maximum throughput disable all receive-, segmentation-, -# checksum- offloadings on NIC. -# Disabling Tx checksum offloading is *required* for connecting OS endpoint -# with NIC endpoint. -# You can find more information at https://github.com/luigirizzo/netmap -# -netmap: - # To specify OS endpoint add plus sign at the end (e.g. "eth0+") - - interface: eth2 - # Number of capture threads. "auto" uses number of RSS queues on interface. - # Warning: unless the RSS hashing is symmetrical, this will lead to - # accuracy issues. - #threads: auto - # You can use the following variables to activate netmap tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - # To specify the OS as the copy-iface (so the OS can route packets, or forward - # to a service running on the same machine) add a plus sign at the end - # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 - # for return packets. Hardware checksumming must be *off* on the interface if - # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD - # or 'ethtool -K eth0 tx off rx off' for Linux). - #copy-mode: tap - #copy-iface: eth3 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - #- interface: eth3 - #threads: auto - #copy-mode: tap - #copy-iface: eth2 - # Put default values here - - interface: default - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/products/pf_ring/ -pfring: - - interface: eth0 - # Number of receive threads. If set to 'auto' Suricata will first try - # to use CPU (core) count and otherwise RSS queue count. - threads: auto - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow. - # Possible values are cluster_flow or cluster_round_robin. - cluster-type: cluster_flow - - # bpf filter for this interface - #bpf-filter: tcp - - # If bypass is set then the PF_RING hw bypass is activated, when supported - # by the interface in use. Suricata will instruct the interface to bypass - # all future packets for a flow that need to be bypassed. - #bypass: yes - - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - # This may be enabled when sharing streams with another application. - # Otherwise, it should be turned off. - #hba: -1 - - # When use_all_streams is set to "yes" the initialization code will query - # the Napatech service for all configured streams and listen on all of them. - # When set to "no" the streams config array will be used. - # - # This option necessitates running the appropriate NTPL commands to create - # the desired streams prior to running suricata. - #use-all-streams: no - - # The streams to listen on when auto-config is disabled or when and threading - # cpu-affinity is disabled. This can be either: - # an individual stream (e.g. streams: [0]) - # or - # a range of streams (e.g. streams: ["0-3"]) - # - streams: ["0-3"] - - # When auto-config is enabled the streams will be created and assigned - # automatically to the NUMA node where the thread resides. If cpu-affinity - # is enabled in the threading section. Then the streams will be created - # according to the number of worker threads specified in the worker cpu set. - # Otherwise, the streams array is used to define the streams. - # - # This option cannot be used simultaneous with "use-all-streams". - # - auto-config: yes - - # Ports indicates which napatech ports are to be used in auto-config mode. - # these are the port ID's of the ports that will be merged prior to the - # traffic being distributed to the streams. - # - # This can be specified in any of the following ways: - # - # a list of individual ports (e.g. ports: [0,1,2,3]) - # - # a range of ports (e.g. ports: [0-3]) - # - # "all" to indicate that all ports are to be merged together - # (e.g. ports: [all]) - # - # This has no effect if auto-config is disabled. - # - ports: [all] - - # When auto-config is enabled the hashmode specifies the algorithm for - # determining to which stream a given packet is to be delivered. - # This can be any valid Napatech NTPL hashmode command. - # - # The most common hashmode commands are: hash2tuple, hash2tuplesorted, - # hash5tuple, hash5tuplesorted and roundrobin. - # - # See Napatech NTPL documentation other hashmodes and details on their use. - # - # This has no effect if auto-config is disabled. - # - hashmode: hash5tuplesorted - -## -## Configure Suricata to load Suricata-Update managed rules. -## -## If this section is completely commented out move down to the "Advanced rule -## file configuration". -## - -default-rule-path: /etc/suricata/rules - -rule-files: - - all.rules - -## -## Auxiliary configuration files. -## - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config -# threshold-file: /etc/suricata/threshold.config - -## -## Include other configs -## - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/salt/suricata/files/suricata.yaml.jinja b/salt/suricata/files/suricata.yaml.jinja new file mode 100644 index 000000000..aa4d2e4e2 --- /dev/null +++ b/salt/suricata/files/suricata.yaml.jinja @@ -0,0 +1,3 @@ +%YAML 1.1 +--- +{{ suricata_config | yaml(False) }} \ No newline at end of file diff --git a/salt/suricata/files/suricataMETA.yaml b/salt/suricata/files/suricataMETA.yaml deleted file mode 100644 index 61e3be6ec..000000000 --- a/salt/suricata/files/suricataMETA.yaml +++ /dev/null @@ -1,1883 +0,0 @@ -%YAML 1.1 ---- - {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - {%- if grains['role'] == 'so-eval' %} - {%- set MTU = 1500 %} - {%- elif grains['role'] == 'so-helix' %} - {%- set MTU = 9000 %} - {%- else %} - {%- set MTU = salt['pillar.get']('sensor:mtu', '1500') %} - {%- endif %} - {%- if salt['pillar.get']('sensor:homenet') %} - {%- set homenet = salt['pillar.get']('sensor:hnsensor', '') %} - {%- else %} - {%- set homenet = salt['pillar.get']('static:hnmaster', '') %} - {%- endif %} -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html - -## -## Step 1: inform Suricata about your network -## - -vars: - # more specific is better for alert accuracy and performance - address-groups: - HOME_NET: "[{{ homenet }}]" - #HOME_NET: "[192.168.0.0/16]" - #HOME_NET: "[10.0.0.0/8]" - #HOME_NET: "[172.16.0.0/12]" - #HOME_NET: "any" - - EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" - - HTTP_SERVERS: "$HOME_NET" - SMTP_SERVERS: "$HOME_NET" - SQL_SERVERS: "$HOME_NET" - DNS_SERVERS: "$HOME_NET" - TELNET_SERVERS: "$HOME_NET" - AIM_SERVERS: "$EXTERNAL_NET" - DC_SERVERS: "$HOME_NET" - DNP3_SERVER: "$HOME_NET" - DNP3_CLIENT: "$HOME_NET" - MODBUS_CLIENT: "$HOME_NET" - MODBUS_SERVER: "$HOME_NET" - ENIP_CLIENT: "$HOME_NET" - ENIP_SERVER: "$HOME_NET" - - port-groups: - HTTP_PORTS: "80" - SHELLCODE_PORTS: "!80" - ORACLE_PORTS: 1521 - SSH_PORTS: 22 - DNP3_PORTS: 20000 - MODBUS_PORTS: 502 - FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: 21 - VXLAN_PORTS: 4789 - TEREDO_PORTS: 3544 - -## -## Step 2: select outputs to enable -## - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# global stats configuration -stats: - enabled: yes - # The interval field (in seconds) controls at what interval - # the loggers are invoked. - interval: 30 - # Add decode events as stats. - #decoder-events: true - # Decoder event prefix in stats. Has been 'decoder' before, but that leads - # to missing events in the eve.stats records. See issue #2225. - #decoder-events-prefix: "decoder.event" - # Add stream events as stats. - #stream-events: false - -# Configure the type of alert (and other) logging you would like. -outputs: - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: no - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: /nsm/eve-%Y-%m-%d-%H:%M.json - rotate-interval: hour - - #prefix: "@cee: " # prefix to prepend to each log entry - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish - # ## lpush and rpush are using a Redis list. "list" is an alias for lpush - # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) - # Redis pipelining set up. This will enable to only do a query every - # 'batch-size' events. This should lower the latency induced by network - # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. - # pipelining: - # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer - - # Include top level metadata. Default yes. - #metadata: no - - # include the name of the input pcap file in pcap file processing mode - pcap-file: false - - # Community Flow ID - # Adds a 'community_id' field to EVE records. These are meant to give - # a records a predictable flow id that can be used to match records to - # output of other tools such as Bro. - # - # Takes a 'seed' that needs to be same across sensors and tools - # to make the id less predictable. - - # enable/disable the community id feature. - community-id: true - # Seed value for the ID output. Valid values are 0-65535. - community-id-seed: 0 - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - types: - - alert: - payload: no # enable dumping payload in Base64 - payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - payload-printable: yes # enable dumping payload in printable (lossy) format - packet: yes # enable dumping of packet (without stream segments) - metadata: - app-layer: false - flow: false - rule: - metadata: true - raw: true - - # http-body: yes # Requires metadata; enable dumping of http body in Base64 - # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format - - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: no - - anomaly: - # Anomaly log records describe unexpected conditions such - # as truncated packets, packets with invalid IP/UDP/TCP - # length values, and other events that render the packet - # invalid for further processing or describe unexpected - # behavior on an established stream. Networks which - # experience high occurrences of anomalies may experience - # packet processing degradation. - # - # Anomalies are reported for the following: - # 1. Decode: Values and conditions that are detected while - # decoding individual packets. This includes invalid or - # unexpected values for low-level protocol lengths as well - # as stream related events (TCP 3-way handshake issues, - # unexpected sequence number, etc). - # 2. Stream: This includes stream related events (TCP - # 3-way handshake issues, unexpected sequence number, - # etc). - # 3. Application layer: These denote application layer - # specific conditions that are unexpected, invalid or are - # unexpected given the application monitoring state. - # - # By default, anomaly logging is disabled. When anomaly - # logging is enabled, applayer anomaly reporting is - # enabled. - enabled: no - # - # Choose one or more types of anomaly logging and whether to enable - # logging of the packet header for packet anomalies. - types: - decode: no - stream: no - applayer: yes - packethdr: no - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - # set this value to one and only one among {both, request, response} - # to dump all http headers for every http request and/or response - # dump-all-headers: none - - dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - version: 2 - - # Enable/disable this logger. Default: enabled. - enabled: yes - - # Control logging of requests and responses: - # - requests: enable logging of DNS queries - # - responses: enable logging of DNS answers - # By default both requests and responses are logged. - #requests: no - #responses: no - - # Format of answer logging: - # - detailed: array item per answer - # - grouped: answers aggregated by type - # Default: all - #formats: [detailed, grouped] - - # Types to log, based on the query type. - # Default: all. - #types: [a, aaaa, cname, mx, ns, ptr, txt] - - tls: - extended: yes # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - - files: - force-magic: no # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: yes # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. - - smtp: - #extended: yes # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] - - - dnp3 - - ftp - - rdp - - nfs - - smb - - tftp - - ikev2 - - krb5 - - snmp - - sip - - dhcp: - enabled: yes - # When extended mode is on, all DHCP messages are logged - # with full detail. When extended mode is off (the - # default), just enough information to map a MAC address - # to an IP address is logged. - # extended: no - - ssh - #- stats: - # totals: yes # stats for all threads merged together - # threads: no # per thread stats - # deltas: no # include delta values - # bi-directional flows - - flow - # uni-directional flows - #- netflow - - # Metadata event type. Triggered whenever a pktvar is saved - # and will include the pktvars, flowvars, flowbits and - # flowints. - #- metadata - - # deprecated - unified2 alert format for use with Barnyard2 - - unified2-alert: - enabled: no - # for further options see: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: no - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #extended: yes # Log extended information like fingerprint - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - - # output module to store certificates chain to disk - - tls-store: - enabled: no - #certs-log-dir: certs # directory to store the certificates files - - # Packet log... log packets in pcap format. 3 modes of operation: "normal" - # "multi" and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". - # In multi mode, a file is created per thread. This will perform much - # better, but will create multiple files where 'normal' would create one. - # In multi mode the filename takes a few special variables: - # - %n -- thread number - # - %i -- thread id - # - %t -- timestamp (secs or secs.usecs based on 'ts-format' - # E.g. filename: pcap.%n.%t - # - # Note that it's possible to use directories, but the directories are not - # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the - # per thread directory. - # - # Also note that the limit and max-files settings are enforced per thread. - # So the size limit when using 8 threads with 1000mb files and 2000 files - # is: 8*1000*2000 ~ 16TiB. - # - # In Sguil mode "dir" indicates the base directory. In this base dir the - # pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename. - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - # Compression algorithm for pcap files. Possible values: none, lz4. - # Enabling compression is incompatible with the sguil mode. Note also - # that on Windows, enabling compression will *increase* disk I/O. - compression: none - - # Further options for lz4 compression. The compression level can be set - # to a value between 0 and 16, where higher values result in higher - # compression. - #lz4-checksum: no - #lz4-level: 0 - - mode: normal # normal, multi or sguil. - - # Directory to place pcap files. If not provided the default log - # directory will be used. Required for "sguil" mode. - #dir: /nsm_data/ - - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (https://www.prelude-siem.org/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the Suricata engine. - - stats: - enabled: yes - filename: stats.log - append: yes # append to file (yes) or overwrite it (no) - totals: yes # stats for all threads merged together - threads: no # per thread stats - null-values: yes # print counters that have value 0 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # deprecated a line based information for dropped packets in IPS mode - - drop: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets - - # Output module for storing files on disk. Files are stored in a - # directory names consisting of the first 2 characters of the - # SHA256 of the file. Each file is given its SHA256 as a filename. - # - # When a duplicate file is found, the existing file is touched to - # have its timestamps updated. - # - # Unlike the older filestore, metadata is not written out by default - # as each file should already have a "fileinfo" record in the - # eve.log. If write-fileinfo is set to yes, the each file will have - # one more associated .json files that consists of the fileinfo - # record. A fileinfo file will be written for each occurrence of the - # file seen using a filename suffix to ensure uniqueness. - # - # To prune the filestore directory see the "suricatactl filestore - # prune" command which can delete files over a certain age. - - file-store: - version: 2 - enabled: no - - # Set the directory for the filestore. If the path is not - # absolute will be be relative to the default-log-dir. - #dir: filestore - - # Write out a fileinfo record for each occurrence of a - # file. Disabled by default as each occurrence is already logged - # as a fileinfo record to the main eve-log. - #write-fileinfo: yes - - # Force storing of all files. Default: no. - #force-filestore: yes - - # Override the global stream-depth for sessions in which we want - # to perform file extraction. Set to 0 for unlimited. - #stream-depth: 0 - - # Uncomment the following variable to define how many files can - # remain open for filestore by Suricata. Default value is 0 which - # means files get closed after each write - #max-open-files: 1000 - - # Force logging of checksums, available hash functions are md5, - # sha1 and sha256. Note that SHA256 is automatically forced by - # the use of this output module as it uses the SHA256 as the - # file naming scheme. - #force-hash: [sha1, md5] - # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - # deprecated - file-store v1 - - file-store: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 - - # Log TCP data after stream normalization - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per TCP session and stores the raw TCP data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by stream.reassembly.depth - - tcp-data: - enabled: no - type: file - filename: tcp-data.log - - # Log HTTP body data after normalization, dechunking and unzipping. - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per HTTP session and stores the normalized data into them. - # Using 'both' will enable both file and dir modes. - # - # Note: limited by the body limit settings - - http-body-data: - enabled: no - type: file - filename: http-data.log - - # Lua Output Support - execute lua script to generate alert and event - # output. - # Documented at: - # https://suricata.readthedocs.io/en/latest/output/lua-output.html - - lua: - enabled: no - #scripts-dir: /etc/suricata/lua-output/ - scripts: - # - script1.lua - -# Logging configuration. This is not about logging IDS alerts/events, but -# output about what Suricata is doing, like startup messages, errors, etc. -logging: - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overridden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overridden in an - # output section. You can leave this out to get the default. - # - # This value is overridden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overridden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - # type: json - - file: - enabled: yes - level: info - filename: suricata.log - # type: json - - syslog: - enabled: no - facility: local5 - format: "[%i] <%d> -- " - # type: json - - -## -## Step 4: configure common capture settings -## -## See "Advanced Capture Options" below for more options, including NETMAP -## and PF_RING. -## - -# Linux high speed capture support -af-packet: - - interface: {{ interface }} - # Number of receive threads. "auto" uses the number of cores - #threads: auto - # Default clusterid. AF_PACKET will load balance packets based on flow. - cluster-id: 59 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same - # socket. Requires at least Linux 3.14. - # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for - # more info. - # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system - # with capture card using RSS (require cpu affinity tuning and system irq tuning) - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock - # your system - #mmap-locked: yes - # Use tpacket_v3 capture mode, only active if use-mmap is true - # Don't use it in IPS or TAP mode as it causes severe latency - #tpacket-v3: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independently of the number - # of threads: - #ring-size: 2048 - # Block size is used by tpacket_v3 only. It should set to a value high enough to contain - # a decent number of packets. Size is in bytes so please consider your MTU. It should be - # a power of 2 and it must be multiple of page size (usually 4096). - #block-size: 32768 - # tpacket_v3 block timeout: an open block is passed to userspace if it is not - # filled after block-timeout milliseconds. - #block-timeout: 10 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - # For eBPF and XDP setup including bypass, filter and load balancing, please - # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. - - # Put default values here. These will be used for an interface that is not - # in the list above. - - interface: default - #threads: auto - #use-mmap: no - #tpacket-v3: yes - -# Cross platform libpcap capture support -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -# Settings for reading pcap files -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# See "Advanced Capture Options" below for more options, including NETMAP -# and PF_RING. - - -## -## Step 5: App Layer Protocol Configuration -## - -# Configure the app-layer parsers. The protocols section details each -# protocol. -# -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables protocol detection only (parser disabled). -app-layer: - protocols: - krb5: - enabled: yes - snmp: - enabled: yes - ikev2: - enabled: yes - tls: - enabled: yes - detection-ports: - dp: 443 - - # Generate JA3 fingerprint from client hello. If not specified it - # will be disabled by default, but enabled if rules require it. - #ja3-fingerprints: auto - - # What to do when the encrypted communications start: - # - default: keep tracking TLS session, check for protocol anomalies, - # inspect tls_* keywords. Disables inspection of unmodified - # 'content' signatures. - # - bypass: stop processing this flow as much as possible. No further - # TLS parsing and inspection. Offload flow bypass to kernel - # or hardware if possible. - # - full: keep tracking and inspection as normal. Unmodified content - # keyword signatures are inspected as well. - # - # For best performance, select 'bypass'. - # - #encryption-handling: default - - dcerpc: - enabled: yes - ftp: - enabled: yes - # memcap: 64mb - # RDP, disabled by default. - rdp: - #enabled: no - ssh: - enabled: yes - smtp: - enabled: yes - raw-extraction: no - # Configure SMTP-MIME Decoder - mime: - # Decode MIME messages from SMTP transactions - # (may be resource intensive) - # This field supercedes all others because it turns the entire - # process on or off - decode-mime: yes - - # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) - decode-base64: yes - decode-quoted-printable: yes - - # Maximum bytes per header data value stored in the data structure - # (default is 2000) - header-value-depth: 2000 - - # Extract URLs and save in state data structure - extract-urls: yes - # Set to yes to compute the md5 of the mail body. You will then - # be able to journalize it. - body-md5: no - # Configure inspected-tracker for file_data keyword - inspected-tracker: - content-limit: 100000 - content-inspect-min-size: 32768 - content-inspect-window: 4096 - imap: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139, 445 - - # Stream reassembly size for SMB streams. By default track it completely. - #stream-depth: 0 - - nfs: - enabled: yes - tftp: - enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: Maximum memory capacity for http - # Default is unlimited, value can be such as 64mb - - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # - # For advanced options, see the user guide - - - # server-config: List of server configurations to use if address matches - # address: List of IP addresses or networks for this block - # personalitiy: List of personalities used by this block - # - # Then, all the fields from default-config can be overloaded - # - # Currently Available Personalities: - # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, - # IIS_7_0, IIS_7_5, Apache_2 - libhtp: - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb - - # response body decompression (0 disables) - response-body-decompress-layer-limit: 2 - - # auto will use http-body-inline mode in IPS mode, yes or no set it statically - http-body-inline: auto - - # Decompress SWF files. - # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma - # compress-depth: - # Specifies the maximum amount of data to decompress, - # set 0 for unlimited. - # decompress-depth: - # Specifies the maximum amount of decompressed data to obtain, - # set 0 for unlimited. - swf-decompression: - enabled: yes - type: both - compress-depth: 0 - decompress-depth: 0 - - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - # Can disable LZMA decompression - #lzma-enabled: yes - # Memory limit usage for LZMA decompression dictionary - # Data is decompressed until dictionary reaches this size - #lzma-memlimit: 1mb - # Maximum decompressed size with a compression ratio - # above 2048 (only LZMA can reach this ratio, deflate cannot) - #compression-bomb-limit: 1mb - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818 - - ntp: - enabled: yes - - dhcp: - enabled: yes - - # SIP, disabled by default. - sip: - #enabled: no - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - - -############################################################################## -## -## Advanced settings below -## -############################################################################## - -## -## Run Options -## - -# Run suricata as user and group. -run-as: - user: suricata - group: suricata - -# Some logging module will use that name in event as identifier. The default -# value is the hostname -#sensor-name: suricata - -# Default location of the pid file. The pid file is only used in -# daemon mode (start Suricata with -D). If not running in daemon mode -# the --pidfile command line option must be used to create a pid file. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Umask. -# Suricata will use this umask if it is provided. By default it will use the -# umask passed on by the shell. -#umask: 022 - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -# If Suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Number of packets preallocated per thread. The default is 1024. A higher number -# will make sure each CPU will be more easily kept busy, but may negatively -# impact caching. -max-pending-packets: 5000 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Default depends on selected capture -# method. 'workers' generally gives best performance. -runmode: workers - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# hash - Flow assigned to threads using the 5-7 tuple hash. -# ippair - Flow assigned to threads using addresses only. -# -#autofp-scheduler: hash - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -default-packet-size: {{ MTU + 15 }} - -# Unix command socket can be used to pass commands to Suricata. -# An external tool can then connect to get information from Suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. In auto mode, the feature will only be -# activated in live capture mode. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: auto - #filename: custom.socket - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -#magic-file: - -# GeoIP2 database file. Specify path and filename of GeoIP2 database -# if using rules with "geoip" rule option. -#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb - -legacy: - uricontent: enabled - -## -## Detection settings -## - -# Set the order of alerts based on actions -# The default order is pass, drop, reject, alert -# action-order: -# - pass -# - drop -# - reject -# - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -## -## Advanced Traffic Tracking and Reconstruction Settings -## - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [] - old-solaris: [] - solaris: [] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# pruning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doesn't find a flow to prune, it will set -# the emergency bit and it will try again with more aggressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 128mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - #managers: 1 # default to one flow manager - #recyclers: 1 # default to one flow recycler thread - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a handshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). "bypassed" -# timeout controls locally bypassed flows. For these flows we don't do any other -# tracking. If no packets have been seen after this timeout, the flow is discarded. -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - emergency-bypassed: 50 - tcp: - new: 60 - established: 600 - closed: 60 - bypassed: 100 - emergency-new: 5 - emergency-established: 100 - emergency-closed: 10 - emergency-bypassed: 50 - udp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - icmp: - new: 30 - established: 300 - bypassed: 100 - emergency-new: 10 - emergency-established: 100 - emergency-bypassed: 50 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated traffic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# bypass: no # Bypass packets when stream.reassembly.depth is reached. -# # Warning: first side to reach this triggers -# # the bypass. -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size -# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same -# # calculation for toclient-chunk-size. -# # Default value of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# segment-prealloc: 2048 # number of segments preallocated per thread -# -# check-overlap-different-data: true|false -# # check if a segment contains different data -# # than what we've already seen for that -# # position in the stream. -# # This is enabled automatically if inline mode -# # is used or when stream-event:reassembly_overlap_different_data; -# # is used in a rule. -# -stream: - memcap: 64mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 256mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #segment-prealloc: 2048 - #check-overlap-different-data: true - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 32mb - -# IP Pair table: -# -# Used by xbits 'ippair' tracking. -# -#ippair: -# hash-size: 4096 -# prealloc: 1000 -# memcap: 32mb - -# Decoder settings - -decoder: - # Teredo decoder is known to not be completely accurate - # as it will sometimes detect non-teredo as teredo. - teredo: - enabled: true - # ports to look for Teredo. Max 4 ports. If no ports are given, or - # the value is set to 'any', Teredo detection runs on _all_ UDP packets. - ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. - - # VXLAN decoder is assigned to up to 4 UDP ports. By default only the - # IANA assigned port 4789 is enabled. - vxlan: - enabled: true - ports: $VXLAN_PORTS # syntax: '8472, 4789' - # ERSPAN Type I decode support - erspan: - typeI: - enabled: false - - -## -## Performance tuning and profiling -## - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect: - profile: medium - custom-values: - toclient-groups: 3 - toserver-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #delayed-detect: yes - - prefilter: - # default prefiltering setting. "mpm" only creates MPM/fast_pattern - # engines. "auto" also sets up prefilter engines for other keywords. - # Use --list-keywords=all to see which keywords support prefiltering. - default: mpm - - # the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get it's own group. - # Very common ports will benefit, as well as ports with many expensive - # rules. - grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 - - profiling: - # Log the rules that made it past the prefilter stage, per packet - # default is off. The threshold setting determines how many rules - # must have made it past pre-filter for that rule to trigger the - # logging. - #inspect-logging-threshold: 200 - grouping: - dump-to-disk: false - include-rules: false # very verbose - include-mpm-stats: false - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. -# -# The supported algorithms are: -# "ac" - Aho-Corasick, default implementation -# "ac-bs" - Aho-Corasick, reduced memory implementation -# "ac-ks" - Aho-Corasick, "Ken Steele" variant -# "hs" - Hyperscan, available when built with Hyperscan support -# -# The default mpm-algo value of "auto" will use "hs" if Hyperscan is -# available, "ac" otherwise. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. - -mpm-algo: auto - -# Select the matching algorithm you want to use for single-pattern searches. -# -# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only -# available if Suricata has been built with Hyperscan support). -# -# The default of "auto" will use "hs" if available, otherwise "bm". - -spm-algo: auto - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - set-cpu-affinity: yes - # Tune cpu affinity of threads. Each family of threads can be bound - # on specific CPUs. - # - # These 2 apply to the all runmodes: - # management-cpu-set is used for flow timeout handling, counters - # worker-cpu-set is used for 'worker' threads - # - # Additionally, for autofp these apply: - # receive-cpu-set is used for capture threads - # verdict-cpu-set is used for IPS verdict threads - # - {%- if salt['pillar.get']('sensor:suriprocs') %} - cpu-affinity: - - management-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - receive-cpu-set: - cpu: [ all ] # include only these CPUs in affinity settings - - worker-cpu-set: - cpu: [ "all" ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - threads: {{ salt['pillar.get']('sensor:suriprocs') }} - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "high" - #- verdict-cpu-set: - # cpu: [ 0 ] - # prio: - # default: "high" - {%- endif -%} - {%- if salt['pillar.get']('sensor:suripins') %} - cpu-affinity: - - management-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings - - worker-cpu-set: - cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] - mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - threads: {{ salt['pillar.get']('sensor:suripins')|length }} - prio: - default: "high" - {% endif %} - - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.0 - -# Luajit has a strange memory requirement, it's 'states' need to be in the -# first 2G of the process' memory. -# -# 'luajit.states' is used to control how many states are preallocated. -# State use: per detect script: 1 per detect thread. Per output script: 1 per -# script. -luajit: - states: 128 - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - # If commented out all the sort options will be used. - #sort: avgticks - - # Limit the number of sids for which stats are shown at exit (per sort). - limit: 10 - - # output to json - json: yes - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - prefilter: - enabled: yes - filename: prefilter_perf.log - append: yes - - # per rulegroup profiling - rulegroups: - enabled: yes - filename: rule_group_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - - pcap-log: - enabled: no - filename: pcaplog_stats.log - append: yes - -## -## Netfilter integration -## - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to Suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if Suricata is not able to keep pace. -# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is -# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask -# on packet of a flow that need to be bypassed. The Nefilter ruleset has to -# directly accept all packets of a flow once a packet has been marked. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# bypass-mark: 1 -# bypass-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -## -## Advanced Capture Options -## - -# general settings affecting packet capture -capture: - # disable NIC offloading. It's restored when Suricata exits. - # Enabled by default. - #disable-offloading: false - # - # disable checksum validation. Same as setting '-k none' on the - # commandline. - #checksum-validation: none - -# Netmap support -# -# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have -# built-in netmap support or compile and install netmap module and appropriate -# NIC driver on your Linux system. -# To reach maximum throughput disable all receive-, segmentation-, -# checksum- offloadings on NIC. -# Disabling Tx checksum offloading is *required* for connecting OS endpoint -# with NIC endpoint. -# You can find more information at https://github.com/luigirizzo/netmap -# -netmap: - # To specify OS endpoint add plus sign at the end (e.g. "eth0+") - - interface: eth2 - # Number of capture threads. "auto" uses number of RSS queues on interface. - # Warning: unless the RSS hashing is symmetrical, this will lead to - # accuracy issues. - #threads: auto - # You can use the following variables to activate netmap tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - # To specify the OS as the copy-iface (so the OS can route packets, or forward - # to a service running on the same machine) add a plus sign at the end - # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 - # for return packets. Hardware checksumming must be *off* on the interface if - # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD - # or 'ethtool -K eth0 tx off rx off' for Linux). - #copy-mode: tap - #copy-iface: eth3 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - #- interface: eth3 - #threads: auto - #copy-mode: tap - #copy-iface: eth2 - # Put default values here - - interface: default - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/products/pf_ring/ -pfring: - - interface: eth0 - # Number of receive threads. If set to 'auto' Suricata will first try - # to use CPU (core) count and otherwise RSS queue count. - threads: auto - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow. - # Possible values are cluster_flow or cluster_round_robin. - cluster-type: cluster_flow - - # bpf filter for this interface - #bpf-filter: tcp - - # If bypass is set then the PF_RING hw bypass is activated, when supported - # by the interface in use. Suricata will instruct the interface to bypass - # all future packets for a flow that need to be bypassed. - #bypass: yes - - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - # This may be enabled when sharing streams with another application. - # Otherwise, it should be turned off. - #hba: -1 - - # When use_all_streams is set to "yes" the initialization code will query - # the Napatech service for all configured streams and listen on all of them. - # When set to "no" the streams config array will be used. - # - # This option necessitates running the appropriate NTPL commands to create - # the desired streams prior to running suricata. - #use-all-streams: no - - # The streams to listen on when auto-config is disabled or when and threading - # cpu-affinity is disabled. This can be either: - # an individual stream (e.g. streams: [0]) - # or - # a range of streams (e.g. streams: ["0-3"]) - # - streams: ["0-3"] - - # When auto-config is enabled the streams will be created and assigned - # automatically to the NUMA node where the thread resides. If cpu-affinity - # is enabled in the threading section. Then the streams will be created - # according to the number of worker threads specified in the worker cpu set. - # Otherwise, the streams array is used to define the streams. - # - # This option cannot be used simultaneous with "use-all-streams". - # - auto-config: yes - - # Ports indicates which napatech ports are to be used in auto-config mode. - # these are the port ID's of the ports that will be merged prior to the - # traffic being distributed to the streams. - # - # This can be specified in any of the following ways: - # - # a list of individual ports (e.g. ports: [0,1,2,3]) - # - # a range of ports (e.g. ports: [0-3]) - # - # "all" to indicate that all ports are to be merged together - # (e.g. ports: [all]) - # - # This has no effect if auto-config is disabled. - # - ports: [all] - - # When auto-config is enabled the hashmode specifies the algorithm for - # determining to which stream a given packet is to be delivered. - # This can be any valid Napatech NTPL hashmode command. - # - # The most common hashmode commands are: hash2tuple, hash2tuplesorted, - # hash5tuple, hash5tuplesorted and roundrobin. - # - # See Napatech NTPL documentation other hashmodes and details on their use. - # - # This has no effect if auto-config is disabled. - # - hashmode: hash5tuplesorted - -## -## Configure Suricata to load Suricata-Update managed rules. -## -## If this section is completely commented out move down to the "Advanced rule -## file configuration". -## - -default-rule-path: /etc/suricata/rules - -rule-files: - - all.rules - -## -## Auxiliary configuration files. -## - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config -# threshold-file: /etc/suricata/threshold.config - -## -## Include other configs -## - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 0f3d49bc3..c0677db16 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -14,12 +14,16 @@ # along with this program. If not, see . {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set BROVER = salt['pillar.get']('static:broversion', '') %} +{% set ZEEKVER = salt['pillar.get']('static:zeekversion', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %} {% set BPF_STATUS = 0 %} +{# import_yaml 'suricata/files/defaults2.yaml' as suricata #} +{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %} + # Suricata # Add Suricata Group @@ -68,14 +72,27 @@ surirulesync: - user: 940 - group: 940 +surilogscript: + file.managed: + - name: /usr/local/bin/surilogcompress + - source: salt://suricata/cron/surilogcompress + - mode: 755 + +/usr/local/bin/surilogcompress: + cron.present: + - user: suricata + - minute: '17' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' + suriconfigsync: file.managed: - name: /opt/so/conf/suricata/suricata.yaml - {%- if BROVER != 'SURICATA' %} - - source: salt://suricata/files/suricata.yaml - {%- else %} - - source: salt://suricata/files/suricataMETA.yaml - {%- endif %} + - source: salt://suricata/files/suricata.yaml.jinja + - context: + suricata_config: {{ suricata_config.suricata.config }} - user: 940 - group: 940 - template: jinja @@ -116,7 +133,7 @@ suribpf: so-suricata: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} - privileged: True - environment: - INTERFACE={{ interface }} diff --git a/salt/suricata/master.sls b/salt/suricata/manager.sls similarity index 100% rename from salt/suricata/master.sls rename to salt/suricata/manager.sls diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja new file mode 100644 index 000000000..9fb3c9a7f --- /dev/null +++ b/salt/suricata/suricata_config.map.jinja @@ -0,0 +1,59 @@ +{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context %} +{% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} +{% from 'suricata/afpacket.map.jinja' import afpacket %} +{% set suricata_pillar = salt['pillar.get']('suricata:config', {}) %} +{% set default_evelog_index = [] %} +{% set surimeta_evelog_index = [] %} + +{% if salt['pillar.get']('sensor:hnsensor') %} + {% load_yaml as homenet %} +HOME_NET: "[{{salt['pillar.get']('sensor:hnsensor')}}]" + {% endload %} +{% else %} + {% load_yaml as homenet %} +HOME_NET: "[{{salt['pillar.get']('static:hnmanager', '')}}]" + {% endload %} +{% endif %} + +{% set hardware_header = 15 %} +{% set default_packet_size = salt['grains.filter_by']({ + '*_eval': { + 'default-packet-size': salt['pillar.get']('sensor:mtu', 1500) + hardware_header, + }, + '*_helix': { + 'default-packet-size': salt['pillar.get']('sensor:mtu', 9000) + hardware_header, + }, + '*': { + 'default-packet-size': salt['pillar.get']('sensor:mtu', 1500) + hardware_header, + }, +},grain='id') %} + +{# Find the index of eve-log so it can be updated later #} +{% for li in suricata_defaults.suricata.config.outputs %} + {% if 'eve-log' in li.keys() %} + {% do default_evelog_index.append(loop.index0) %} + {% endif %} +{% endfor %} +{% set default_evelog_index = default_evelog_index[0] %} + +{# Find the index of eve-log so it can be grabbed later #} +{% for li in suricata_meta.suricata.config.outputs %} + {% if 'eve-log' in li.keys() %} + {% do surimeta_evelog_index.append(loop.index0) %} + {% endif %} +{% endfor %} +{% set surimeta_evelog_index = surimeta_evelog_index[0] %} + +{% if salt['pillar.get']('static:zeekversion', 'ZEEK') == 'SURICATA' %} + {% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} +{% endif %} + +{% do suricata_defaults.suricata.config.update(default_packet_size) %} +{% do suricata_defaults.suricata.config.update(afpacket) %} +{% do suricata_defaults.suricata.config.vars['address-groups'].update(homenet) %} +{% if salt['pillar.get']('sensor:suriprocs', salt['pillar.get']('sensor:suripins', {})) %} + {% from 'suricata/threading.map.jinja' import cpu_affinity with context %} + {% do suricata_defaults.suricata.config.threading.update(cpu_affinity) %} +{% endif %} + +{% do salt['defaults.merge'](suricata_defaults.suricata.config, suricata_pillar, in_place=True) %} \ No newline at end of file diff --git a/salt/suricata/suricata_meta.yaml b/salt/suricata/suricata_meta.yaml new file mode 100644 index 000000000..4cf2530cd --- /dev/null +++ b/salt/suricata/suricata_meta.yaml @@ -0,0 +1,58 @@ +suricata: + config: + outputs: + - eve-log: + types: + - anomaly: + enabled: "no" + types: + decode: "no" + stream: "no" + applayer: "yes" + packethdr: "no" + - http: + extended: "yes" + #custom: [Accept-Encoding, Accept-Language, Authorization] + # dump-all-headers: none + - dns: + version: 2 + enabled: "yes" + #requests: "no" + #responses: "no" + #formats: [detailed, grouped] + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: "yes" + #session-resumption: "no" + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + - files: + force-magic: "no" + #force-hash: [md5] + #- drop: + # alerts: "yes" + # flows: all + - smtp: + extended: "yes" + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + #md5: [body, subject] + - dnp3 + - ftp + - rdp + - nfs + - smb + - tftp + - ikev2 + - krb5 + - snmp + - sip + - dhcp: + enabled: "yes" + # extended: "no" + - ssh + #- stats: + # totals: "yes" + # threads: "no" + # deltas: "no" + - flow + #- netflow + #- metadata \ No newline at end of file diff --git a/salt/suricata/threading.map.jinja b/salt/suricata/threading.map.jinja new file mode 100644 index 000000000..fb9e16d6b --- /dev/null +++ b/salt/suricata/threading.map.jinja @@ -0,0 +1,32 @@ +{% if salt['pillar.get']('sensor:suriprocs') %} + {% load_yaml as cpu_affinity%} +cpu-affinity: + - management-cpu-set: + cpu: [ all ] # include only these CPUs in affinity settings + - receive-cpu-set: + cpu: [ all ] # include only these CPUs in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + threads: {{ salt['pillar.get']('sensor:suriprocs') }} + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "high" + {% endload %} +{% elif salt['pillar.get']('sensor:suripins') %} + {% load_yaml as cpu_affinity%} +cpu-affinity: + - management-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] # include only these cpus in affinity settings + - worker-cpu-set: + cpu: [ {{ salt['pillar.get']('sensor:suripins')|join(",") }} ] + mode: "exclusive" + threads: {{ salt['pillar.get']('sensor:suripins')|length }} + prio: + default: "high" + {% endload %} +{% endif %} \ No newline at end of file diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index 5a054bf5d..7247e4505 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,11 +1,12 @@ {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} so-tcpreplay: docker_container.running: - network_mode: "host" - - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-tcpreplay:{{ VERSION }} - name: so-tcpreplay - user: root - interactive: True diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 73cd194e2..70ca7837f 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -13,8 +13,8 @@ # them with $. For strings the variable must be within quotes (ie, "$STR_VAR"), # for numbers and booleans they should be plain (ie, $INT_VAR, $BOOL_VAR) -{%- set MASTER = grains['master'] %} -{% set NODEIP = salt['pillar.get']('node:mainip', '') %} +{%- set MANAGER = salt['grains.get']('master') %} +{% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} @@ -98,7 +98,7 @@ ## urls will be written to each interval. # urls = ["unix:///var/run/influxdb.sock"] # urls = ["udp://127.0.0.1:8089"] - urls = ["https://{{ MASTER }}:8086"] + urls = ["https://{{ MANAGER }}:8086"] ## The target database for metrics; will be created as needed. @@ -616,13 +616,13 @@ # # Read stats from one or more Elasticsearch servers or clusters -{% if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} [[inputs.elasticsearch]] # ## specify a list of one or more Elasticsearch servers # # you can add username and password to your url to use basic authentication: # # servers = ["http://user:pass@localhost:9200"] - servers = ["http://{{ MASTER }}:9200"] + servers = ["http://{{ MANAGER }}:9200"] {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] servers = ["http://{{ NODEIP }}:9200"] @@ -666,7 +666,7 @@ # # Read metrics from one or more commands that can output to stdout # ## Commands array -{% if grains['role'] in ['so-master', 'so-mastersearch'] %} +{% if grains['role'] in ['so-manager', 'so-managersearch'] %} [[inputs.exec]] commands = [ "/scripts/redis.sh", @@ -2063,9 +2063,9 @@ # ## more about them here: # ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md # # data_format = "influx" -[[inputs.socket_listener]] - service_address = "udp://:8094" - data_format = "influx" +#[[inputs.socket_listener]] +# service_address = "udp://:8094" +# data_format = "influx" # # Statsd UDP/TCP Server diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 834f77bf1..668a8839a 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -1,5 +1,6 @@ -{% set MASTER = salt['grains.get']('master') %} +{% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} # Add Telegraf to monitor all the things. tgraflogdir: @@ -20,9 +21,9 @@ tgrafetsdir: tgrafsyncscripts: file.recurse: - name: /opt/so/conf/telegraf/scripts - - user: 939 + - user: 0 - group: 939 - - file_mode: 755 + - file_mode: 700 - template: jinja - source: salt://telegraf/scripts @@ -36,15 +37,13 @@ tgrafconf: so-telegraf: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-telegraf:{{ VERSION }} - environment: - HOST_PROC=/host/proc - HOST_ETC=/host/etc - HOST_SYS=/host/sys - HOST_MOUNT_PREFIX=/host - network_mode: host - - port_bindings: - - 127.0.0.1:8094:8094 - binds: - /opt/so/log/telegraf:/var/log/telegraf:rw - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro @@ -55,7 +54,7 @@ so-telegraf: - /proc:/host/proc:ro - /nsm:/host/nsm:ro - /etc:/host/etc:ro - {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %} + {% if grains['role'] == 'so-manager' or grains['role'] == 'so-eval' or grains['role'] == 'so-managersearch' %} - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro {% else %} - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index acfb8c214..48745c161 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -15,7 +15,9 @@ if [ $CHECKIT == 2 ]; then else CURRENTPACKETS=${RESULT[9]} PASTPACKETS=${RESULT[19]} - TOTAL=$(($CURRENTPACKETS - $PASTPACKETS)) + TOTALCURRENT=$(($CURRENTPACKETS + $CURRENTDROP)) + TOTALPAST=$(($PASTPACKETS + $PASTDROP)) + TOTAL=$(($TOTALCURRENT - $TOTALPAST)) LOSS=$(echo $DROPPED $TOTAL / p | dc) echo "suridrop drop=$LOSS" diff --git a/salt/thehive/etc/application.conf b/salt/thehive/etc/application.conf index 8630cb386..f06c3f7c6 100644 --- a/salt/thehive/etc/application.conf +++ b/salt/thehive/etc/application.conf @@ -1,4 +1,4 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %} # Secret Key @@ -6,7 +6,7 @@ # WARNING: If you deploy your application on several servers, make sure to use the same key. play.http.secret.key="letsdewdis" play.http.context=/thehive/ -search.uri = "http://{{ MASTERIP }}:9400" +search.uri = "http://{{ MANAGERIP }}:9400" # Elasticsearch search { # Name of the index @@ -14,8 +14,8 @@ search { # Name of the Elasticsearch cluster cluster = thehive # Address of the Elasticsearch instance - host = ["{{ MASTERIP }}:9500"] - #search.uri = "http://{{ MASTERIP }}:9500" + host = ["{{ MANAGERIP }}:9500"] + #search.uri = "http://{{ MANAGERIP }}:9500" # Scroll keepalive keepalive = 1m # Size of the page for scroll @@ -135,7 +135,7 @@ play.modules.enabled += connectors.cortex.CortexConnector cortex { "CORTEX-SERVER-ID" { - url = "http://{{ MASTERIP }}:9001/cortex/" + url = "http://{{ MANAGERIP }}:9001/cortex/" key = "{{ CORTEXKEY }}" # # HTTP client configuration (SSL and proxy) # ws {} @@ -210,9 +210,9 @@ misp { } webhooks { NodeRedWebHook { - url = "http://{{ MASTERIP }}:1880/thehive" + url = "http://{{ MANAGERIP }}:1880/thehive" } #SOCtopusWebHook { - # url = "http://{{ MASTERIP }}:7000/enrich" + # url = "http://{{ MANAGERIP }}:7000/enrich" #} } diff --git a/salt/thehive/etc/cortex-application.conf b/salt/thehive/etc/cortex-application.conf index 1a887cdb3..b9cbe20cc 100644 --- a/salt/thehive/etc/cortex-application.conf +++ b/salt/thehive/etc/cortex-application.conf @@ -1,11 +1,11 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} # Secret Key # The secret key is used to secure cryptographic functions. # WARNING: If you deploy your application on several servers, make sure to use the same key. play.http.secret.key="letsdewdis" play.http.context=/cortex/ -search.uri = "http://{{ MASTERIP }}:9400" +search.uri = "http://{{ MANAGERIP }}:9400" # Elasticsearch search { @@ -14,7 +14,7 @@ search { # Name of the Elasticsearch cluster cluster = thehive # Address of the Elasticsearch instance - host = ["{{ MASTERIP }}:9500"] + host = ["{{ MANAGERIP }}:9500"] # Scroll keepalive keepalive = 1m # Size of the page for scroll @@ -127,4 +127,20 @@ analyzer { } } +## RESPONDERS +## +responder { + # Directory that holds responders + urls = ["/Cortex-Analyzers/responders", "/custom-responders"] + + fork-join-executor { + # Min number of threads available for analyze + parallelism-min = 2 + # Parallelism (threads) ... ceil(available processors * factor) + parallelism-factor = 2.0 + # Max number of threads available for analyze + parallelism-max = 4 + } +} + # It's the end my friend. Happy hunting! diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index 732fe4a77..062637855 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -1,6 +1,7 @@ -{% set MASTERIP = salt['pillar.get']('master:mainip', '') %} +{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} thehiveconfdir: file.directory: - name: /opt/so/conf/thehive/etc @@ -45,6 +46,20 @@ cortexconf: - group: 939 - template: jinja +cortexanalyzers: + file.directory: + - name: /opt/so/conf/cortex/custom-analyzers + - user: 939 + - group: 939 + - template: jinja + +cortexresponders: + file.directory: + - name: /opt/so/conf/cortex/custom-responders + - user: 939 + - group: 939 + - template: jinja + # Install Elasticsearch # Made directory for ES data to live in @@ -57,7 +72,7 @@ thehiveesdata: so-thehive-es: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-es:{{ VERSION }} - hostname: so-thehive-es - name: so-thehive-es - user: 939 @@ -85,12 +100,14 @@ so-thehive-es: # Install Cortex so-cortex: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-cortex:{{ VERSION }} - hostname: so-cortex - name: so-cortex - user: 939 - binds: - /opt/so/conf/thehive/etc/cortex-application.conf:/opt/cortex/conf/application.conf:ro + - /opt/so/conf/cortex/custom-analyzers:/custom-analyzers:ro + - /opt/so/conf/cortex/custom-responders:/custom-responders:ro - port_bindings: - 0.0.0.0:9001:9001 @@ -99,12 +116,13 @@ cortexscript: - source: salt://thehive/scripts/cortex_init - cwd: /opt/so - template: jinja + - hide_output: True so-thehive: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive:{{ VERSION }} - environment: - - ELASTICSEARCH_HOST={{ MASTERIP }} + - ELASTICSEARCH_HOST={{ MANAGERIP }} - hostname: so-thehive - name: so-thehive - user: 939 @@ -118,3 +136,4 @@ thehivescript: - source: salt://thehive/scripts/hive_init - cwd: /opt/so - template: jinja + - hide_output: True diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index 063ae498d..90980da9c 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -1,17 +1,17 @@ #!/bin/bash -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} -{%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} -{%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %} -{%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} -{%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} -{%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} -{%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} +# {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} +# {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', 'cortexadmin') %} +# {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %} +# {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} +# {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} +# {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} +# {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} default_salt_dir=/opt/so/saltstack/default cortex_init(){ sleep 60 - CORTEX_IP="{{MASTERIP}}" + CORTEX_IP="{{MANAGERIP}}" CORTEX_USER="{{CORTEXUSER}}" CORTEX_PASSWORD="{{CORTEXPASSWORD}}" CORTEX_KEY="{{CORTEXKEY}}" @@ -54,7 +54,7 @@ if [ -f /opt/so/state/cortex.txt ]; then exit 0 else rm -f garbage_file - while ! wget -O garbage_file {{MASTERIP}}:9500 2>/dev/null + while ! wget -O garbage_file {{MANAGERIP}}:9500 2>/dev/null do echo "Waiting for Elasticsearch..." rm -f garbage_file diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index 296004e77..a8307c0d6 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -1,12 +1,12 @@ #!/bin/bash -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} -{%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} -{%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} -{%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} +# {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} +# {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', 'hiveadmin') %} +# {%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', 'hivechangeme') %} +# {%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} thehive_init(){ sleep 120 - THEHIVE_IP="{{MASTERIP}}" + THEHIVE_IP="{{MANAGERIP}}" THEHIVE_USER="{{THEHIVEUSER}}" THEHIVE_PASSWORD="{{THEHIVEPASSWORD}}" THEHIVE_KEY="{{THEHIVEKEY}}" @@ -52,7 +52,7 @@ if [ -f /opt/so/state/thehive.txt ]; then exit 0 else rm -f garbage_file - while ! wget -O garbage_file {{MASTERIP}}:9400 2>/dev/null + while ! wget -O garbage_file {{MANAGERIP}}:9400 2>/dev/null do echo "Waiting for Elasticsearch..." rm -f garbage_file diff --git a/salt/top.sls b/salt/top.sls index 3629fbe0b..5f316dd15 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,19 +1,19 @@ -{%- set BROVER = salt['pillar.get']('static:broversion', '') -%} +{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', '') -%} {%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%} -{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%} -{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%} -{%- set NAVIGATOR = salt['pillar.get']('master:navigator', '0') -%} -{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%} -{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%} -{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%} +{%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') -%} +{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') -%} +{%- set FREQSERVER = salt['pillar.get']('manager:freq', '0') -%} +{%- set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') -%} +{%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%} {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%} -{%- set STRELKA = salt['pillar.get']('static:strelka', '0') -%} +{%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%} base: 'os:CentOS': - match: grain + - yum - yum.packages '*': @@ -30,7 +30,7 @@ base: - telegraf - firewall - idstools - - suricata.master + - suricata.manager - pcap - suricata - zeek @@ -48,7 +48,7 @@ base: - pcap - suricata - healthcheck - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - wazuh @@ -56,7 +56,7 @@ base: - strelka {%- endif %} - filebeat - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule @@ -65,7 +65,7 @@ base: - ca - ssl - registry - - master + - manager - common - nginx - telegraf @@ -74,9 +74,9 @@ base: - soc - firewall - idstools - - suricata.master + - suricata.manager - healthcheck - {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -86,7 +86,7 @@ base: - kibana - pcap - suricata - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} {%- if STRELKA %} @@ -95,7 +95,7 @@ base: - filebeat - curator - elastalert - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet - redis - fleet.install_package @@ -109,9 +109,6 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} - {%- if NAVIGATOR != 0 %} - - navigator - {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} @@ -120,7 +117,7 @@ base: {%- endif %} - '*_master': + '*_manager': - ca - ssl - registry @@ -131,24 +128,23 @@ base: - grafana - soc - firewall - - master + - manager - idstools - - suricata.master + - suricata.manager - redis - {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} - - elasticsearch - logstash - kibana - elastalert - filebeat - utility - schedule - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet - fleet.install_package {%- endif %} @@ -159,9 +155,6 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} - {%- if NAVIGATOR != 0 %} - - navigator - {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} @@ -173,7 +166,7 @@ base: - ca - ssl - registry - - master + - manager - common - nginx - telegraf @@ -182,21 +175,20 @@ base: - soc - firewall - idstools - - suricata.master + - suricata.manager - healthcheck - redis - {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} - - elasticsearch - logstash - kibana - pcap - suricata - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} {%- if STRELKA %} @@ -205,7 +197,7 @@ base: - filebeat - curator - elastalert - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet - redis - fleet.install_package @@ -219,9 +211,6 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} - {%- if NAVIGATOR != 0 %} - - navigator - {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} @@ -236,7 +225,7 @@ base: - common - firewall - logstash - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule @@ -246,9 +235,8 @@ base: - common - firewall - logstash - - elasticsearch - curator - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule @@ -258,7 +246,7 @@ base: - common - firewall - elasticsearch - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule @@ -274,15 +262,14 @@ base: - wazuh {%- endif %} - logstash - - elasticsearch - curator - filebeat - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule - '*_mastersensor': + '*_managersensor': - common - nginx - telegraf @@ -290,13 +277,13 @@ base: - grafana - firewall - sensor - - master - {%- if FLEETMASTER or FLEETNODE %} + - manager + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - schedule - '*_mastersearch': + '*_managersearch': - ca - ssl - registry @@ -307,25 +294,24 @@ base: - grafana - soc - firewall - - master + - manager - idstools - - suricata.master + - suricata.manager - redis - {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} - logstash - - elasticsearch - curator - kibana - elastalert - filebeat - utility - schedule - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet - fleet.install_package {%- endif %} @@ -336,9 +322,6 @@ base: {%- if PLAYBOOK != 0 %} - playbook {%- endif %} - {%- if NAVIGATOR != 0 %} - - navigator - {%- endif %} {%- if FREQSERVER != 0 %} - freqserver {%- endif %} @@ -357,15 +340,14 @@ base: - wazuh {%- endif %} - logstash - - elasticsearch - curator - filebeat - {%- if FLEETMASTER or FLEETNODE %} + {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} - pcap - suricata - {%- if BROVER != 'SURICATA' %} + {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - filebeat diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams index c8768230e..d21e3c1a4 100644 --- a/salt/utility/bin/crossthestreams +++ b/salt/utility/bin/crossthestreams @@ -1,6 +1,6 @@ #!/bin/bash -{% set ES = salt['pillar.get']('master:mainip', '') %} -{%- set MASTER = grains['master'] %} +{% set ES = salt['pillar.get']('manager:mainip', '') %} +{%- set MANAGER = salt['grains.get']('master') %} # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." @@ -29,7 +29,7 @@ fi echo "Applying cross cluster search config..." curl -s -XPUT http://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MASTER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" # Add all the search nodes to cross cluster searching. diff --git a/salt/utility/bin/eval b/salt/utility/bin/eval index 7ff0ef886..87692e40f 100644 --- a/salt/utility/bin/eval +++ b/salt/utility/bin/eval @@ -1,5 +1,5 @@ #!/bin/bash -{% set ES = salt['pillar.get']('master:mainip', '') %} +{% set ES = salt['pillar.get']('manager:mainip', '') %} # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." diff --git a/salt/utility/init.sls b/salt/utility/init.sls index 87cfe8e87..00899f69a 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -1,5 +1,5 @@ # This state is for checking things -{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-standalone'] %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} # Make sure Cross Cluster is good. Will need some logic once we have hot/warm crossclusterson: cmd.script: diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf index 95d17bc8d..8d38868ef 100644 --- a/salt/wazuh/files/agent/ossec.conf +++ b/salt/wazuh/files/agent/ossec.conf @@ -1,12 +1,12 @@ -{%- if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set ip = salt['pillar.get']('static:managerip', '') %} {%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %} - {%- set ip = salt['pillar.get']('node:mainip', '') %} + {%- set ip = salt['pillar.get']('elasticsearch:mainip', '') %} {%- elif grains['role'] == 'so-sensor' %} {%- set ip = salt['pillar.get']('sensor:mainip', '') %} {%- endif %} diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent index c636cd899..f2fd8693f 100755 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -1,7 +1,7 @@ -{%- if grains['role'] in ['so-master', 'so-eval', 'so-mastersearch', 'so-standalone'] %} - {%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} + {%- set ip = salt['pillar.get']('static:managerip', '') %} {%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %} - {%- set ip = salt['pillar.get']('node:mainip', '') %} + {%- set ip = salt['pillar.get']('elasticsearch:mainip', '') %} {%- elif grains['role'] == 'so-sensor' %} {%- set ip = salt['pillar.get']('sensor:mainip', '') %} {%- endif %} diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist index 66dc13cd9..d39d68e36 100755 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ b/salt/wazuh/files/wazuh-manager-whitelist @@ -1,4 +1,4 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} {%- set WAZUH_ENABLED = salt['pillar.get']('static:wazuh', '0') %} #!/bin/bash local_salt_dir=/opt/so/saltstack/local @@ -21,12 +21,12 @@ local_salt_dir=/opt/so/saltstack/local # Check if Wazuh enabled if [ {{ WAZUH_ENABLED }} ]; then WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" - if ! grep -q "{{ MASTERIP }}" $WAZUH_MGR_CFG ; then + if ! grep -q "{{ MANAGERIP }}" $WAZUH_MGR_CFG ; then DATE=`date` sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG - echo -e "\n \n {{ MASTERIP }}\n \n" >> $WAZUH_MGR_CFG - echo "Added whitelist entry for {{ MASTERIP }} in $WAZUH_MGR_CFG." + echo -e "\n \n {{ MANAGERIP }}\n \n" >> $WAZUH_MGR_CFG + echo "Added whitelist entry for {{ MANAGERIP }} in $WAZUH_MGR_CFG." echo fi fi diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 6f8cf5029..2ae4ea715 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -1,6 +1,7 @@ {%- set HOSTNAME = salt['grains.get']('host', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} # Add ossec group ossecgroup: group.present: @@ -83,13 +84,14 @@ wazuhmgrwhitelist: so-wazuh: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }} - hostname: {{HOSTNAME}}-wazuh-manager - name: so-wazuh - detach: True - port_bindings: - 0.0.0.0:1514:1514/udp - 0.0.0.0:1514:1514/tcp + - 0.0.0.0:1515:1515/tcp - 0.0.0.0:55000:55000 - binds: - /opt/so/wazuh:/var/ossec/data:rw diff --git a/salt/yum/etc/yum.conf.jinja b/salt/yum/etc/yum.conf.jinja new file mode 100644 index 000000000..aab63550b --- /dev/null +++ b/salt/yum/etc/yum.conf.jinja @@ -0,0 +1,16 @@ +[main] +cachedir=/var/cache/yum/$basearch/$releasever +keepcache=0 +debuglevel=2 +logfile=/var/log/yum.log +exactarch=1 +obsoletes=1 +gpgcheck=1 +plugins=1 +installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} +bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum +distroverpkg=centos-release + +{% if salt['pillar.get']('static:managerupdate', '0') %} +proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 +{% endif %} \ No newline at end of file diff --git a/salt/yum/init.sls b/salt/yum/init.sls new file mode 100644 index 000000000..c91de908e --- /dev/null +++ b/salt/yum/init.sls @@ -0,0 +1,6 @@ +yumconf: + file.managed: + - name: /etc/yum.conf + - source: salt://yum/etc/yum.conf.jinja + - mode: 644 + - template: jinja \ No newline at end of file diff --git a/salt/zeek/fileextraction_defaults.yaml b/salt/zeek/fileextraction_defaults.yaml new file mode 100644 index 000000000..3823b8203 --- /dev/null +++ b/salt/zeek/fileextraction_defaults.yaml @@ -0,0 +1,29 @@ +zeek: + policy: + file_extraction: + - application/x-dosexec: exe + - application/pdf: pdf + - application/msword: doc + - application/vnd.ms-powerpoint: doc + - application/rtf: doc + - application/vnd.ms-word.document.macroenabled.12: doc + - application/vnd.ms-word.template.macroenabled.12: doc + - application/vnd.ms-powerpoint.template.macroenabled.12: doc + - application/vnd.ms-excel: doc + - application/vnd.ms-excel.addin.macroenabled.12: doc + - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc + - application/vnd.ms-excel.template.macroenabled.12: doc + - application/vnd.ms-excel.sheet.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc + - application/vnd.openxmlformats-officedocument.presentationml.slide: doc + - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc + - application/vnd.openxmlformats-officedocument.presentationml.template: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc + - application/vnd.ms-powerpoint.addin.macroenabled.12: doc + - application/vnd.ms-powerpoint.slide.macroenabled.12: doc + - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc + - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument: doc \ No newline at end of file diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg index 6f9608113..55f77982c 100644 --- a/salt/zeek/files/node.cfg +++ b/salt/zeek/files/node.cfg @@ -1,15 +1,14 @@ {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} - -{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %} -{%- if salt['pillar.get']('sensor:bro_proxies') %} - {%- set proxies = salt['pillar.get']('sensor:bro_proxies', '1') %} -{%- else %} - {%- if salt['pillar.get']('sensor:bro_pins') %} - {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %} +{%- if salt['pillar.get']('sensor:zeek_pins') or salt['pillar.get']('sensor:zeek_lbprocs') %} + {%- if salt['pillar.get']('sensor:zeek_proxies') %} + {%- set proxies = salt['pillar.get']('sensor:zeek_proxies', '1') %} {%- else %} - {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_pins')|length/10)|round(0, 'ceil')|int %} + {%- else %} + {%- set proxies = (salt['pillar.get']('sensor:zeek_lbprocs')/10)|round(0, 'ceil')|int %} + {%- endif %} {%- endif %} -{%- endif %} [manager] type=manager host=localhost @@ -27,20 +26,19 @@ type=worker host=localhost interface=af_packet::{{ interface }} lb_method=custom - -{%- if salt['pillar.get']('sensor:bro_lbprocs') %} -lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }} -{%- else %} -lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }} -{%- endif %} -{%- if salt['pillar.get']('sensor:bro_pins') %} -pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }} -{%- endif %} + {%- if salt['pillar.get']('sensor:zeek_lbprocs') %} +lb_procs={{ salt['pillar.get']('sensor:zeek_lbprocs', '1') }} + {%- else %} +lb_procs={{ salt['pillar.get']('sensor:zeek_pins')|length }} + {%- endif %} + {%- if salt['pillar.get']('sensor:zeek_pins') %} +pin_cpus={{ salt['pillar.get']('sensor:zeek_pins')|join(", ") }} + {%- endif %} af_packet_fanout_id=23 af_packet_fanout_mode=AF_Packet::FANOUT_HASH -af_packet_buffer_size=128*1024*1024 +af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }} {%- else %} -[brosa] +[zeeksa] type=standalone host=localhost interface={{ interface }} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 246b43c90..68908a2ce 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,5 +1,6 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} @@ -42,7 +43,7 @@ zeekspooldir: file.directory: - name: /nsm/zeek/spool/manager - user: 937 - - makedirs: true + - makedirs: True # Zeek extracted zeekextractdir: @@ -56,7 +57,7 @@ zeekextractcompletedir: file.directory: - name: /nsm/zeek/extracted/complete - user: 937 - - makedirs: true + - makedirs: True # Sync the policies zeekpolicysync: @@ -67,6 +68,15 @@ zeekpolicysync: - group: 939 - template: jinja +# Sync Intel +zeekintelloadsync: + file.managed: + - name: /opt/so/conf/policy/intel/__load__.zeek + - source: salt://zeek/policy/intel/__load__.zeek + - user: 937 + - group: 939 + - makedirs: True + zeekctlcfg: file.managed: - name: /opt/so/conf/zeek/zeekctl.cfg @@ -86,20 +96,20 @@ nodecfgsync: - group: 939 - template: jinja -zeekcleanscript: - file.managed: - - name: /usr/local/bin/zeek_clean - - source: salt://zeek/cron/zeek_clean - - mode: 755 +#zeekcleanscript: +# file.managed: +# - name: /usr/local/bin/zeek_clean +# - source: salt://zeek/cron/zeek_clean +# - mode: 755 -/usr/local/bin/zeek_clean: - cron.present: - - user: root - - minute: '*' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' +#/usr/local/bin/zeek_clean: +# cron.present: +# - user: root +# - minute: '*' +# - hour: '*' +# - daymonth: '*' +# - month: '*' +# - dayweek: '*' plcronscript: file.managed: @@ -156,7 +166,7 @@ localzeeksync: so-zeek: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }} - privileged: True - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw @@ -177,3 +187,4 @@ so-zeek: - file: /opt/so/conf/zeek/zeekctl.cfg - file: /opt/so/conf/zeek/policy - file: /opt/so/conf/zeek/bpf + \ No newline at end of file diff --git a/salt/zeek/policy/intel/__load__.zeek b/salt/zeek/policy/intel/__load__.zeek index 4a4d603a7..4df4e0265 100644 --- a/salt/zeek/policy/intel/__load__.zeek +++ b/salt/zeek/policy/intel/__load__.zeek @@ -1 +1,6 @@ -#Intel +@load frameworks/intel/seen +@load frameworks/intel/do_notice +@load frameworks/files/hash-all-files +redef Intel::read_files += { + "/opt/zeek/share/zeek/policy/intel/intel.dat" +}; \ No newline at end of file diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index fbb635982..6f59ed447 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -1,3 +1,4 @@ +{%- import_yaml "zeek/fileextraction_defaults.yaml" as zeek with context %} # Directory to stage Zeek extracted files before processing redef FileExtract::prefix = "/nsm/zeek/extracted/"; # Set a limit to the file size @@ -5,33 +6,17 @@ redef FileExtract::default_limit = 9000000; # These are the mimetypes we want to rip off the networks export { global _mime_whitelist: table[string] of string = { - ["application/x-dosexec"] = "exe", - ["application/pdf"] = "pdf", - ["application/msword"] = "doc", - ["application/vnd.ms-powerpoint"] = "doc", - ["application/rtf"] = "doc", - ["application/vnd.ms-word.document.macroenabled.12"] = "doc", - ["application/vnd.ms-word.template.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.template.macroenabled.12"] = "doc", - ["application/vnd.ms-excel"] = "doc", - ["application/vnd.ms-excel.addin.macroenabled.12"] = "doc", - ["application/vnd.ms-excel.sheet.binary.macroenabled.12"] = "doc", - ["application/vnd.ms-excel.template.macroenabled.12"] = "doc", - ["application/vnd.ms-excel.sheet.macroenabled.12"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.presentation"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.slide"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.slideshow"] = "doc", - ["application/vnd.openxmlformats-officedocument.presentationml.template"] = "doc", - ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] = "doc", - ["application/vnd.openxmlformats-officedocument.spreadsheetml.template"] = "doc", - ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "doc", - ["application/vnd.openxmlformats-officedocument.wordprocessingml.template"] = "doc", - ["application/vnd.ms-powerpoint.addin.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.slide.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.presentation.macroenabled.12"] = "doc", - ["application/vnd.ms-powerpoint.slideshow.macroenabled.12"] = "doc", - ["application/vnd.openxmlformats-officedocument"] = "doc" - # Need to add other types such as zip, ps1, etc + {%- for li in zeek.zeek.policy.file_extraction %} + {%- if not loop.last %} + {%- for k,v in li.items() %} + ["{{ k }}"] = "{{ v }}", + {%- endfor %} + {%- else %} + {%- for k,v in li.items() %} + ["{{ k }}"] = "{{ v }}" + {%- endfor %} + {%- endif %} + {%- endfor %} }; } # Start grabbing the file from the network if it matches the mimetype diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/pm_standalone_defaults index 2f62fab98..d7bc1ea1f 100644 --- a/setup/automation/pm_standalone_defaults +++ b/setup/automation/pm_standalone_defaults @@ -23,16 +23,16 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICBRO=7 +BASICZEEK=7 BASICSURI=7 # BLOGS= BNICS=eth1 -BROVERSION=ZEEK +ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC GRAFANA=1 # HELIXAPIKEY= -HNMASTER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit HOSTNAME=standalone install_type=STANDALONE @@ -40,8 +40,8 @@ install_type=STANDALONE # LSINPUTTHREADS= # LSPIPELINEBATCH= # LSPIPELINEWORKERS= -MASTERADV=BASIC -MASTERUPDATES=1 +MANAGERADV=BASIC +MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= @@ -50,13 +50,12 @@ MNIC=eth0 # MSEARCH= # MSRV= # MTU= -NAVIGATOR=1 NIDS=Suricata # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= NODESETUP=NODEBASIC NSMSETUP=BASIC -NODEUPDATES=MASTER +NODEUPDATES=MANAGER # OINKCODE= OSQUERY=1 # PATCHSCHEDULEDAYS= diff --git a/setup/files/intel.dat b/setup/files/intel.dat new file mode 100644 index 000000000..ca10994b6 --- /dev/null +++ b/setup/files/intel.dat @@ -0,0 +1,5 @@ +#fields indicator indicator_type meta.source meta.do_notice +# EXAMPLES: +#66.32.119.38 Intel::ADDR Test Address T +#www.honeynet.org Intel::DOMAIN Test Domain T +#4285358dd748ef74cb8161108e11cb73 Intel::FILE_HASH Test MD5 T diff --git a/setup/install_scripts/99-so-checksum-offload-disable b/setup/install_scripts/99-so-checksum-offload-disable index b8c21a299..917c0f72b 100755 --- a/setup/install_scripts/99-so-checksum-offload-disable +++ b/setup/install_scripts/99-so-checksum-offload-disable @@ -4,5 +4,5 @@ if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* ]]; then for i in rx tx sg tso ufo gso gro lro; do ethtool -K "$DEVICE_IFACE" "$i" off; done - ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off + ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on fi \ No newline at end of file diff --git a/setup/so-common-functions b/setup/so-common-functions index fc380f85b..c3df787cc 100644 --- a/setup/so-common-functions +++ b/setup/so-common-functions @@ -1,6 +1,7 @@ #!/bin/bash source ./so-variables +source ../salt/common/tools/sbin/so-common # Helper functions @@ -31,9 +32,9 @@ filter_unused_nics() { calculate_useable_cores() { # Calculate reasonable core usage - local cores_for_bro=$(( (num_cpu_cores/2) - 1 )) + local cores_for_zeek=$(( (num_cpu_cores/2) - 1 )) local lb_procs_round - lb_procs_round=$(printf "%.0f\n" $cores_for_bro) + lb_procs_round=$(printf "%.0f\n" $cores_for_zeek) if [ "$lb_procs_round" -lt 1 ]; then lb_procs=1; else lb_procs=$lb_procs_round; fi export lb_procs diff --git a/setup/so-functions b/setup/so-functions index c3c7a36d2..89d0fdc7a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -19,12 +19,12 @@ source ./so-whiptail source ./so-variables source ./so-common-functions -SOVERSION=HH1.4.1 +SOVERSION=$(cat ../VERSION) accept_salt_key_remote() { systemctl restart salt-minion - echo "Accept the key remotely on the master" >> "$setup_log" 2>&1 + echo "Accept the key remotely on the manager" >> "$setup_log" 2>&1 # Delete the key just in case. ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y salt-call state.apply ca @@ -43,14 +43,14 @@ add_admin_user() { } -add_master_hostfile() { +add_manager_hostfile() { [ -n "$TESTING" ] && return - echo "Checking if I can resolve master. If not add to hosts file" >> "$setup_log" 2>&1 + echo "Checking if I can resolve manager. If not add to hosts file" >> "$setup_log" 2>&1 # Pop up an input to get the IP address MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) + "Enter your Manager Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -60,7 +60,7 @@ addtotab_generate_templates() { local addtotab_path=$local_salt_dir/pillar/data - for i in evaltab mastersearchtab mastertab nodestab sensorstab standalonetab; do + for i in evaltab managersearchtab managertab nodestab sensorstab standalonetab; do printf '%s\n'\ "$i:"\ "" > "$addtotab_path"/$i.sls @@ -79,7 +79,7 @@ so_add_user() { echo "Add $username user" >> "$setup_log" 2>&1 groupadd --gid "$gid" "$username" - useradd --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username" + useradd -m --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username" # If a password has been passed in, set the password if [ "$pass" ]; then @@ -87,11 +87,11 @@ so_add_user() { fi } -add_socore_user_master() { +add_socore_user_manager() { so_add_user "socore" "939" "939" "/opt/so" >> "$setup_log" 2>&1 } -add_soremote_user_master() { +add_soremote_user_manager() { so_add_user "soremote" "947" "947" "/home/soremote" "$SOREMOTEPASS1" >> "$setup_log" 2>&1 } @@ -143,18 +143,18 @@ secrets_pillar(){ } # Enable Bro Logs -bro_logs_enabled() { +zeek_logs_enabled() { echo "Enabling Bro Logs" >> "$setup_log" 2>&1 - local brologs_pillar=./pillar/brologs.sls + local zeeklogs_pillar=./pillar/zeeklogs.sls printf '%s\n'\ - "brologs:"\ - " enabled:" > "$brologs_pillar" + "zeeklogs:"\ + " enabled:" > "$zeeklogs_pillar" - if [ "$MASTERADV" = 'ADVANCED' ]; then + if [ "$MANAGERADV" = 'ADVANCED' ]; then for BLOG in "${BLOGS[@]}"; do - echo " - $BLOG" | tr -d '"' >> "$brologs_pillar" + echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" done else printf '%s\n'\ @@ -195,11 +195,11 @@ bro_logs_enabled() { " - weird"\ " - mysql"\ " - socks"\ - " - x509" >> "$brologs_pillar" + " - x509" >> "$zeeklogs_pillar" fi printf '%s\n' '----' >> "$setup_log" 2>&1 - cat "$brologs_pillar" >> "$setup_log" 2>&1 + cat "$zeeklogs_pillar" >> "$setup_log" 2>&1 } check_admin_pass() { @@ -265,12 +265,12 @@ check_web_pass() { check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH" } -clear_master() { - # Clear out the old master public key in case this is a re-install. - # This only happens if you re-install the master. +clear_manager() { + # Clear out the old manager public key in case this is a re-install. + # This only happens if you re-install the manager. if [ -f /etc/salt/pki/minion/minion_master.pub ]; then { - echo "Clearing old master key"; + echo "Clearing old Salt master key"; rm -f /etc/salt/pki/minion/minion_master.pub; systemctl -q restart salt-minion; } >> "$setup_log" 2>&1 @@ -360,7 +360,7 @@ configure_minion() { 'helix') echo "master: $HOSTNAME" >> "$minion_config" ;; - 'master' | 'eval' | 'mastersearch' | 'standalone') + 'manager' | 'eval' | 'managersearch' | 'standalone') printf '%s\n'\ "master: $HOSTNAME"\ "mysql.host: '$MAINIP'"\ @@ -388,8 +388,6 @@ configure_minion() { printf '%s\n' '----'; cat "$minion_config"; } >> "$setup_log" 2>&1 - - } checkin_at_boot() { @@ -399,27 +397,33 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } - check_requirements() { - local eval_or_dist=$1 + local standalone_or_dist=$1 local node_type=$2 # optional local req_mem local req_cores + local req_storage local nic_list readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')" local num_nics=${#nic_list[@]} - - if [[ "$eval_or_dist" == 'eval' ]]; then + + if [[ "$standalone_or_dist" == 'standalone' ]]; then req_mem=12 req_cores=4 req_nics=2 - elif [[ "$eval_or_dist" == 'dist' ]]; then + req_storage=100 + elif [[ "$standalone_or_dist" == 'dist' ]]; then req_mem=8 req_cores=4 + req_storage=40 if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi fi + if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then + whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB" + fi + if [[ $num_nics -lt $req_nics ]]; then whiptail_requirements_error "NICs" "$num_nics" "$req_nics" fi @@ -429,13 +433,13 @@ check_requirements() { fi if [[ $total_mem_hr -lt $req_mem ]]; then - whiptail_requirements_error "memory" "${total_mem_hr}GB" "${req_mem}GB" + whiptail_requirements_error "memory" "${total_mem_hr} GB" "${req_mem} GB" fi } -copy_master_config() { +copy_salt_master_config() { - # Copy the master config template to the proper directory + # Copy the Salt master config template to the proper directory if [ "$setup_type" = 'iso' ]; then cp /root/SecurityOnion/files/master /etc/salt/master >> "$setup_log" 2>&1 else @@ -448,7 +452,7 @@ copy_master_config() { copy_minion_tmp_files() { case "$install_type" in - 'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH' | 'STANDALONE') + 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE') echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 if [ -d "$temp_install_dir"/salt ] ; then @@ -457,12 +461,16 @@ copy_minion_tmp_files() { ;; *) { - echo "scp pillar and salt files in $temp_install_dir to master $local_salt_dir"; + echo "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; - scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules; - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/master/files/add_minion.sh "$MINION_ID"; + if [ -d $temp_install_dir/salt/patch/os/schedules/ ]; then + if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then + scp -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules; + fi + fi + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; } >> "$setup_log" 2>&1 ;; esac @@ -475,48 +483,65 @@ copy_ssh_key() { mkdir -p /root/.ssh ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh - echo "Copying the SSH key to the master" - #Copy the key over to the master + echo "Copying the SSH key to the manager" + #Copy the key over to the manager ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV" } create_local_directories() { - echo "Creating local pillar and salt directories" - PILLARSALTDIR=${SCRIPTDIR::-5} - for i in "pillar" "salt"; do - for d in `find $PILLARSALTDIR/$i -type d`; do - suffixdir=${d//$PILLARSALTDIR/} - if [ ! -d "$local_salt_dir/$suffixdir" ]; then - mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 - fi - done - chown -R socore:socore "$local_salt_dir/$i" - done + echo "Creating local pillar and salt directories" + PILLARSALTDIR=${SCRIPTDIR::-5} + for i in "pillar" "salt"; do + for d in $(find $PILLARSALTDIR/$i -type d); do + suffixdir=${d//$PILLARSALTDIR/} + if [ ! -d "$local_salt_dir/$suffixdir" ]; then + mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 + fi + done + chown -R socore:socore "$local_salt_dir/$i" + done } -create_sensor_bond() { - echo "Setting up sensor bond" >> "$setup_log" 2>&1 - +configure_network_sensor() { + echo "Setting up sensor interface" >> "$setup_log" 2>&1 local nic_error=0 - check_network_manager_conf >> "$setup_log" 2>&1 - # Set the MTU if [[ $NSMSETUP != 'ADVANCED' ]]; then - MTU=1500 + if [[ $is_cloud ]]; then MTU=1575; else MTU=1500; fi + fi + + if [[ $is_cloud ]]; then + INTERFACE=${BNICS[0]} + local nmcli_con_arg="type ethernet" + else + INTERFACE='bond0' + local nmcli_con_arg="type bond mode 0" fi # Create the bond interface only if it doesn't already exist - if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then - nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ + + nmcli -f name,uuid -p con | grep -q "$INTERFACE" >> "$setup_log" 2>&1 + local found_int=$? + + if [[ $found_int != 0 ]]; then + nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \ + ipv4.method disabled \ + ipv6.method ignore \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + else + local int_uuid + int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/$INTERFACE //p" | tr -d ' ') + + nmcli con mod "$int_uuid" \ ipv4.method disabled \ ipv6.method ignore \ ethernet.mtu $MTU \ connection.autoconnect "yes" >> "$setup_log" 2>&1 fi - for BNIC in "${BNICS[@]}"; do # Check if specific offload features are able to be disabled for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do @@ -532,15 +557,29 @@ create_sensor_bond() { ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 done - # Check if the bond slave connection has already been created - if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') ]]; then - # Create the slave interface and assign it to the bond - nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ - ethernet.mtu $MTU \ - connection.autoconnect "yes" >> "$setup_log" 2>&1 - fi + if [[ $is_cloud ]]; then + nmcli con up "$BNIC" >> "$setup_log" 2>&1 + else + # Check if the bond slave connection has already been created + nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" >> "$setup_log" 2>&1 + local found_int=$? + + if [[ $found_int != 0 ]]; then + # Create the slave interface and assign it to the bond + nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + else + local int_uuid + int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') - nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up + nmcli con mod "$int_uuid" \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + fi + + nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up + fi done if [ $nic_error != 0 ]; then @@ -548,6 +587,11 @@ create_sensor_bond() { fi } +detect_cloud() { + echo "Testing if setup is running on a cloud instance..." >> "$setup_log" 2>&1 + if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null); then export is_cloud="true"; fi +} + detect_os() { # Detect Base OS @@ -565,10 +609,23 @@ detect_os() { exit 1 fi + echo "Installing required packages to run installer..." >> "$setup_log" 2>&1 # Install bind-utils so the host command exists if ! command -v host > /dev/null 2>&1; then - echo "Installing required packages to run installer" - yum -y install bind-utils yum-plugin-versionlock >> "$setup_log" 2>&1 + yum -y install bind-utils >> "$setup_log" 2>&1 + fi + if ! command -v nmcli > /dev/null 2>&1; then + { + yum -y install NetworkManager; + systemctl enable NetworkManager; + systemctl start NetworkManager; + } >> "$setup_log" 2<&1 + fi + if ! command -v bc > /dev/null 2>&1; then + yum -y install bc >> "$setup_log" 2>&1 + fi + if ! yum versionlock > /dev/null 2>&1; then + yum -y install yum-plugin-versionlock >> "$setup_log" 2>&1 fi @@ -582,15 +639,17 @@ detect_os() { echo "We do not support your current version of Ubuntu." exit 1 fi + + echo "Installing required packages to run installer..." # Install network manager so we can do interface stuff if ! command -v nmcli > /dev/null 2>&1; then - echo "Installing required packages to run installer" { apt-get install -y network-manager; systemctl enable NetworkManager; systemctl start NetworkManager; } >> "$setup_log" 2<&1 fi + apt-get install -y bc >> "$setup_log" 2>&1 else echo "We were unable to determine if you are using a supported OS." @@ -601,12 +660,14 @@ detect_os() { } -disable_onion_user() { - # Disable the default account cause security. - usermod -L onion - +disable_auto_start() { + # Remove the automated setup script from crontab, if it exists - crontab -u onion -r + crontab -u $INSTALLUSERNAME -r + + # Truncate last line of the bash profile + sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile + } disable_misc_network_features() { @@ -648,7 +709,7 @@ docker_install() { else case "$install_type" in - 'MASTER' | 'EVAL') + 'MANAGER' | 'EVAL') apt-get update >> "$setup_log" 2>&1 ;; *) @@ -678,7 +739,7 @@ docker_registry() { echo "Setting up Docker Registry" >> "$setup_log" 2>&1 mkdir -p /etc/docker >> "$setup_log" 2>&1 - # Make the host use the master docker registry + # Make the host use the manager docker registry if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi printf '%s\n'\ "{"\ @@ -718,7 +779,7 @@ docker_seed_registry() { "so-influxdb:$VERSION" \ "so-kibana:$VERSION" \ "so-mysql:$VERSION" \ - "so-navigator:$VERSION" \ + "so-pcaptools:$VERSION" \ "so-playbook:$VERSION" \ "so-soc:$VERSION" \ "so-kratos:$VERSION" \ @@ -740,14 +801,14 @@ docker_seed_registry() { set_progress_str "$percent" "Downloading $i" { - if ! docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i"; then + if ! docker pull --disable-content-trust=false docker.io/$IMAGEREPO/"$i"; then sleep 5 - docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i" + docker pull --disable-content-trust=false docker.io/$IMAGEREPO/"$i" fi # Tag it with the new registry destination - docker tag soshybridhunter/"$i" "$HOSTNAME":5000/soshybridhunter/"$i" - docker push "$HOSTNAME":5000/soshybridhunter/"$i" - #docker rmi soshybridhunter/"$i" + docker tag $IMAGEREPO/"$i" "$HOSTNAME":5000/$IMAGEREPO/"$i" + docker push "$HOSTNAME":5000/$IMAGEREPO/"$i" + #docker rmi $IMAGEREPO/"$i" } >> "$setup_log" 2>&1 done else @@ -778,7 +839,7 @@ firewall_generate_templates() { cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1 - for i in analyst beats_endpoint sensor master minion osquery_endpoint search_node wazuh_endpoint; do + for i in analyst beats_endpoint sensor manager minion osquery_endpoint search_node wazuh_endpoint; do $default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1 done @@ -792,7 +853,7 @@ fleet_pillar() { printf '%s\n'\ "fleet:"\ " mainip: $MAINIP"\ - " master: $MSRV"\ + " manager: $MSRV"\ "" > "$pillar_file" } @@ -810,7 +871,6 @@ generate_passwords(){ } get_redirect() { - whiptail_set_redirect_info whiptail_set_redirect if [ "$REDIRECTINFO" = "OTHER" ]; then whiptail_set_redirect_host @@ -829,7 +889,7 @@ got_root() { get_minion_type() { local minion_type case "$install_type" in - 'EVAL' | 'MASTERSEARCH' | 'MASTER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'STANDALONE') + 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'STANDALONE') minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]') ;; 'HELIXSENSOR') @@ -862,45 +922,35 @@ install_cleanup() { } -master_pillar() { +manager_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - # Create the master pillar + if [ -z "$SENSOR_CHECKIN_INTERVAL_MS" ]; then + SENSOR_CHECKIN_INTERVAL_MS=10000 + if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ]; then + SENSOR_CHECKIN_INTERVAL_MS=1000 + fi + fi + + # Create the manager pillar printf '%s\n'\ - "master:"\ + "manager:"\ " mainip: $MAINIP"\ " mainint: $MNIC"\ " esheap: $ES_HEAP_SIZE"\ " esclustername: {{ grains.host }}"\ " freq: 0"\ " domainstats: 0" >> "$pillar_file" + - if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'HELIXSENSOR' ] || [ "$install_type" = 'MASTERSEARCH' ] || [ "$install_type" = 'STANDALONE' ]; then + if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'HELIXSENSOR' ] || [ "$install_type" = 'MANAGERSEARCH' ] || [ "$install_type" = 'STANDALONE' ]; then printf '%s\n'\ - " ls_pipeline_batch_size: 125"\ - " ls_input_threads: 1"\ - " ls_batch_count: 125"\ " mtu: $MTU" >> "$pillar_file" fi - case $REDIRECTINFO in - 'IP') - REDIRECTIT="$MAINIP" - ;; - 'HOSTNAME') - REDIRECTIT=$HOSTNAME - ;; - *) - REDIRECTIT="$REDIRECTHOST" - ;; - esac - printf '%s\n'\ - " lsheap: $LS_HEAP_SIZE"\ - " lsaccessip: 127.0.0.1"\ " elastalert: 1"\ - " ls_pipeline_workers: $num_cpu_cores"\ " nids_rules: $RULESETUP"\ " oinkcode: $OINKCODE"\ " es_port: $node_es_port"\ @@ -910,10 +960,40 @@ master_pillar() { " osquery: $OSQUERY"\ " thehive: $THEHIVE"\ " playbook: $PLAYBOOK"\ - " navigator: $NAVIGATOR"\ " url_base: $REDIRECTIT"\ ""\ + "elasticsearch:"\ + " mainip: $MAINIP"\ + " mainint: $MNIC"\ + " esheap: $NODE_ES_HEAP_SIZE"\ + " esclustername: {{ grains.host }}"\ + " node_type: $NODETYPE"\ + " es_port: $node_es_port"\ + " log_size_limit: $log_size_limit"\ + " node_route_type: hot"\ + ""\ + "logstash_settings:"\ + " ls_pipeline_batch_size: 125"\ + " ls_input_threads: 1"\ + " ls_batch_count: 125"\ + " lsheap: $LS_HEAP_SIZE"\ + " ls_pipeline_workers: $num_cpu_cores"\ + ""\ + "pcap:">> "$pillar_file"\ + " sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\ + ""\ + "idstools:"\ + " config:"\ + " ruleset: $RULESETUP"\ + " oinkcode: $OINKCODE"\ + " urls:"\ + " sids:"\ + " enabled:"\ + " disabled:"\ + " modify:"\ + ""\ "kratos:" >> "$pillar_file" + printf '%s\n'\ " kratoskey: $KRATOSKEY"\ @@ -923,41 +1003,107 @@ master_pillar() { cat "$pillar_file" >> "$setup_log" 2>&1 } -master_static() { +manager_static() { local static_pillar="$local_salt_dir/pillar/static.sls" # Create a static file for global values printf '%s\n'\ "static:"\ " soversion: $SOVERSION"\ - " hnmaster: $HNMASTER"\ + " hnmanager: $HNMANAGER"\ " ntpserver: $NTPSERVER"\ " proxy: $PROXY"\ - " broversion: $BROVERSION"\ + " zeekversion: $ZEEKVERSION"\ " ids: $NIDS"\ - " masterip: $MAINIP"\ - " hiveuser: hiveadmin"\ - " hivepassword: hivechangeme"\ + " managerip: $MAINIP"\ + " hiveuser: $WEBUSER"\ + " hivepassword: $WEBPASSWD1"\ " hivekey: $HIVEKEY"\ - " cortexuser: cortexadmin"\ - " cortexpassword: cortexchangeme"\ + " cortexuser: $WEBUSER"\ + " cortexpassword: $WEBPASSWD1"\ " cortexkey: $CORTEXKEY"\ " cortexorgname: SecurityOnion"\ - " cortexorguser: soadmin"\ + " cortexorguser: $WEBUSER"\ " cortexorguserkey: $CORTEXORGUSERKEY"\ " fleet_custom_hostname: "\ - " fleet_master: False"\ + " fleet_manager: False"\ " fleet_node: False"\ " fleet_packages-timestamp: N/A"\ " fleet_packages-version: 1"\ " fleet_hostname: N/A"\ " fleet_ip: N/A"\ " sensoronikey: $SENSORONIKEY"\ - " strelka: $STRELKA"\ - " wazuh: $WAZUH"\ - " masterupdate: $MASTERUPDATES"\ + " wazuh: $WAZUH"\ + " managerupdate: $MANAGERUPDATES"\ + " imagerepo: $IMAGEREPO"\ + "strelka:"\ + " enabled: $STRELKA"\ + " rules: $STRELKARULES"\ + "curator:"\ + " hot_warm: False"\ "elastic:"\ - " features: False" > "$static_pillar" + " features: False"\ + "elasticsearch:"\ + " replicas: 0"\ + " true_cluster: False"\ + " true_cluster_name: so"\ + " discovery_nodes: 1"\ + " hot_warm_enabled: False"\ + " cluster_routing_allocation_disk.threshold_enabled: true"\ + " cluster_routing_allocation_disk_watermark_low: 95%"\ + " cluster_routing_allocation_disk_watermark_high: 98%"\ + " cluster_routing_allocation_disk_watermark_flood_stage: 98%"\ + " index_settings:"\ + " so-beats:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " so-firewall:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " so-flow:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " so-ids:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " so-import:"\ + " shards: 1"\ + " warm: 7"\ + " close: 73000"\ + " delete: 73001"\ + " so-osquery:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " so-ossec:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " so-strelka:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " so-syslog:"\ + " shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " so-zeek:"\ + " shards: 5"\ + " warm: 7"\ + " close: 365"\ + " delete: 45" > "$static_pillar" printf '%s\n' '----' >> "$setup_log" 2>&1 cat "$static_pillar" >> "$setup_log" 2>&1 @@ -995,33 +1141,40 @@ network_setup() { } >> "$setup_log" 2>&1 } -node_pillar() { +elasticsearch_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls # Create the node pillar printf '%s\n'\ - "node:"\ + "elasticsearch:"\ " mainip: $MAINIP"\ " mainint: $MNIC"\ " esheap: $NODE_ES_HEAP_SIZE"\ " esclustername: {{ grains.host }}"\ - " lsheap: $NODE_LS_HEAP_SIZE"\ - " ls_pipeline_workers: $LSPIPELINEWORKERS"\ - " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ - " ls_input_threads: $LSINPUTTHREADS"\ - " ls_batch_count: $LSINPUTBATCHCOUNT"\ - " es_shard_count: $SHARDCOUNT"\ " node_type: $NODETYPE"\ " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ - " cur_close_days: $CURCLOSEDAYS"\ + " node_route_type: hot"\ + "" >> "$pillar_file" + + printf '%s\n'\ + "logstash_settings:"\ + " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ + " ls_input_threads: $LSINPUTTHREADS"\ + " ls_batch_count: $LSINPUTBATCHCOUNT"\ + " lsheap: $NODE_LS_HEAP_SIZE"\ "" >> "$pillar_file" printf '%s\n' '----' >> "$setup_log" 2>&1 cat "$pillar_file" >> "$setup_log" 2>&1 } +parse_install_username() { + # parse out the install username so things copy correctly + INSTALLUSERNAME=$(pwd | sed -E 's/\// /g' | awk '{ print $2 }') +} + patch_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls @@ -1096,11 +1249,11 @@ saltify() { set_progress_str 6 'Installing various dependencies' yum -y install wget nmap-ncat >> "$setup_log" 2>&1 case "$install_type" in - 'MASTER' | 'EVAL' | 'MASTERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE') + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE') reserve_group_ids >> "$setup_log" 2>&1 yum -y install epel-release >> "$setup_log" 2>&1 yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1 - # Download Ubuntu Keys in case master updates = 1 + # Download Ubuntu Keys in case manager updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 @@ -1111,7 +1264,7 @@ saltify() { systemctl enable salt-master >> "$setup_log" 2>&1 ;; *) - if [ "$MASTERUPDATES" = '1' ]; then + if [ "$MANAGERUPDATES" = '1' ]; then { # Create the GPG Public Key for the Salt Repo cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key; @@ -1162,17 +1315,17 @@ saltify() { # Grab the version from the os-release file local ubuntu_version ubuntu_version=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') + if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi case "$install_type" in 'FLEET') if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$setup_log" 2>&1; else apt-get -y install python-mysqldb >> "$setup_log" 2>&1; fi ;; - 'MASTER' | 'EVAL' | 'MASTERSEARCH' | 'STANDALONE') # TODO: should this also be HELIXSENSOR? - if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE') # TODO: should this also be HELIXSENSOR? # Add saltstack repo(s) wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/2019.2.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -1180,14 +1333,14 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 # Get key and install wazuh curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - >> "$setup_log" 2>&1 # Add repo - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list >> "$setup_log" 2>&1 + echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" # Initialize the new repos apt-get update >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' @@ -1197,15 +1350,15 @@ saltify() { apt-mark hold salt-master >> "$setup_log" 2>&1 ;; *) - # Copy down the gpg keys and install them from the master + # Copy down the gpg keys and install them from the manager mkdir "$temp_install_dir"/gpg >> "$setup_log" 2>&1 - echo "scp the gpg keys and install them from the master" >> "$setup_log" 2>&1 + echo "scp the gpg keys and install them from the manager" >> "$setup_log" 2>&1 scp -v -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/gpg/* "$temp_install_dir"/gpg >> "$setup_log" 2>&1 echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list >> "$setup_log" 2>&1 - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/2019.2.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac apt-get update >> "$setup_log" 2>&1 @@ -1225,7 +1378,7 @@ saltify() { salt_checkin() { case "$install_type" in - 'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH' | 'STANDALONE') # Fix Mine usage + 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE') # Fix Mine usage { echo "Building Certificate Authority"; salt-call state.apply ca; @@ -1268,6 +1421,11 @@ set_base_heapsizes() { ls_heapsize } +set_network_dev_status_list() { + readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)" + export nmcli_dev_status_list +} + set_main_ip() { MAINIP=$(ip route get 1 | awk '{print $7;exit}') } @@ -1281,14 +1439,16 @@ setup_salt_master_dirs() { # Copy over the salt code and templates if [ "$setup_type" = 'iso' ]; then - rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 - rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 + rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 else - cp -R ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 - cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 + cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 + cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 fi - echo "Chown the salt dirs on the master for socore" >> "$setup_log" 2>&1 + echo "Chown the salt dirs on the manager for socore" >> "$setup_log" 2>&1 chown -R socore:socore /opt/so } @@ -1317,13 +1477,13 @@ sensor_pillar() { # Create the sensor pillar printf '%s\n'\ "sensor:"\ - " interface: bond0"\ + " interface: $INTERFACE"\ " mainip: $MAINIP"\ " mainint: $MNIC" >> "$pillar_file" if [ "$NSMSETUP" = 'ADVANCED' ]; then - echo " bro_pins:" >> "$pillar_file" - for PIN in "${BROPINS[@]}"; do + echo " zeek_pins:" >> "$pillar_file" + for PIN in "${ZEEKPINS[@]}"; do PIN=$(echo "$PIN" | cut -d\" -f2) echo " - $PIN" >> "$pillar_file" done @@ -1333,17 +1493,17 @@ sensor_pillar() { echo " - $SPIN" >> "$pillar_file" done elif [ "$install_type" = 'HELIXSENSOR' ]; then - echo " bro_lbprocs: $lb_procs" >> "$pillar_file" + echo " zeek_lbprocs: $lb_procs" >> "$pillar_file" echo " suriprocs: $lb_procs" >> "$pillar_file" else - echo " bro_lbprocs: $BASICBRO" >> "$pillar_file" + echo " zeek_lbprocs: $BASICZEEK" >> "$pillar_file" echo " suriprocs: $BASICSURI" >> "$pillar_file" fi printf '%s\n'\ - " brobpf:"\ + " zeekbpf:"\ " pcapbpf:"\ " nidsbpf:"\ - " master: $MSRV"\ + " manager: $MSRV"\ " mtu: $MTU"\ " uniqueid: $(date '+%s')" >> "$pillar_file" if [ "$HNSENSOR" != 'inherit' ]; then @@ -1362,7 +1522,7 @@ set_default_log_size() { local percentage case $INSTALLTYPE in - EVAL | HEAVYNODE) + STANDALONE | EVAL | HEAVYNODE) percentage=50 ;; *) @@ -1389,7 +1549,7 @@ set_hostname() { set_hostname_iso - if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH|STANDALONE)$ ]]; then + if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE)$ ]]; then if ! getent hosts "$MSRV"; then echo "$MSRVIP $MSRV" >> /etc/hosts fi @@ -1416,30 +1576,30 @@ set_initial_firewall_policy() { if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi case "$install_type" in - 'MASTER') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP" + 'MANAGER') + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP" - $default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + $default_salt_dir/pillar/data/addtotab.sh managertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; - 'EVAL' | 'MASTERSEARCH' | 'STANDALONE') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP" + 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE') + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" case "$install_type" in 'EVAL') - $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True + $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE True ;; - 'MASTERSEARCH') - $default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + 'MANAGERSEARCH') + $default_salt_dir/pillar/data/addtotab.sh managersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'STANDALONE') - $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ;; esac ;; 'HELIXSENSOR') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" ;; @@ -1448,7 +1608,7 @@ set_initial_firewall_policy() { case "$install_type" in 'SENSOR') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ;; 'SEARCHNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" @@ -1457,7 +1617,7 @@ set_initial_firewall_policy() { 'HEAVYNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'FLEET') @@ -1481,8 +1641,8 @@ set_initial_firewall_policy() { set_management_interface() { if [ "$address_type" = 'DHCP' ]; then - nmcli con mod "$MNIC" connection.autoconnect yes - nmcli con up "$MNIC" + nmcli con mod "$MNIC" connection.autoconnect yes >> "$setup_log" 2>&1 + nmcli con up "$MNIC" >> "$setup_log" 2>&1 else # Set Static IP nmcli con mod "$MNIC" ipv4.addresses "$MIP"/"$MMASK"\ @@ -1490,20 +1650,17 @@ set_management_interface() { ipv4.dns "$MDNS"\ ipv4.dns-search "$MSEARCH"\ connection.autoconnect yes\ - ipv4.method manual - nmcli con up "$MNIC" + ipv4.method manual >> "$setup_log" 2>&1 + nmcli con up "$MNIC" >> "$setup_log" 2>&1 fi } set_node_type() { case "$install_type" in - 'SEARCHNODE' | 'EVAL' | 'MASTERSEARCH' | 'HEAVYNODE' | 'STANDALONE') + 'SEARCHNODE' | 'EVAL' | 'MANAGERSEARCH' | 'HEAVYNODE' | 'STANDALONE') NODETYPE='search' ;; - 'PARSINGNODE') - NODETYPE='parser' - ;; 'HOTNODE') NODETYPE='hot' ;; @@ -1513,14 +1670,28 @@ set_node_type() { esac } +set_redirect() { + case $REDIRECTINFO in + 'IP') + REDIRECTIT="$MAINIP" + ;; + 'HOSTNAME') + REDIRECTIT="$HOSTNAME" + ;; + *) + REDIRECTIT="$REDIRECTHOST" + ;; + esac +} + set_updates() { - if [ "$MASTERUPDATES" = '1' ]; then + if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then if ! grep -q "$MSRV" /etc/yum.conf; then echo "proxy=http://$MSRV:3142" >> /etc/yum.conf fi else - # Set it up so the updates roll through the master + # Set it up so the updates roll through the manager printf '%s\n'\ "Acquire::http::Proxy \"http://$MSRV:3142\";"\ "Acquire::https::Proxy \"http://$MSRV:3142\";" > /etc/apt/apt.conf.d/00Proxy @@ -1541,7 +1712,7 @@ update_sudoers() { echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/common/tools/sbin/so-firewall" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers - echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/master/files/add_minion.sh" | tee -a /etc/sudoers + echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/manager/files/add_minion.sh" | tee -a /etc/sudoers else echo "User soremote already granted sudo privileges" >> "$setup_log" 2>&1 fi @@ -1557,7 +1728,7 @@ update_packages() { } use_turbo_proxy() { - if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH|STANDALONE)$ ]]; then + if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE)$ ]]; then echo "turbo is not supported on this install type" >> $setup_log 2>&1 return fi @@ -1581,7 +1752,7 @@ ls_heapsize() { fi case "$install_type" in - 'MASTERSEARCH' | 'HEAVYNODE' | 'HELIXSENSOR' | 'STANDALONE') + 'MANAGERSEARCH' | 'HEAVYNODE' | 'HELIXSENSOR' | 'STANDALONE') LS_HEAP_SIZE='1000m' ;; 'EVAL') @@ -1593,7 +1764,7 @@ ls_heapsize() { esac export LS_HEAP_SIZE - if [[ "$install_type" =~ ^(EVAL|MASTERSEARCH|STANDALONE)$ ]]; then + if [[ "$install_type" =~ ^(EVAL|MANAGERSEARCH|STANDALONE)$ ]]; then NODE_LS_HEAP_SIZE=LS_HEAP_SIZE export NODE_LS_HEAP_SIZE fi @@ -1615,7 +1786,7 @@ es_heapsize() { fi export ES_HEAP_SIZE - if [[ "$install_type" =~ ^(EVAL|MASTERSEARCH|STANDALONE)$ ]]; then + if [[ "$install_type" =~ ^(EVAL|MANAGERSEARCH|STANDALONE)$ ]]; then NODE_ES_HEAP_SIZE=ES_HEAP_SIZE export NODE_ES_HEAP_SIZE fi diff --git a/setup/so-setup b/setup/so-setup index 478151def..6a432fc9d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -47,15 +47,28 @@ while [[ $# -gt 0 ]]; do done # Begin Installation pre-processing +parse_install_username +echo "Installing as the $INSTALLUSERNAME user." >> $setup_log 2>&1 + echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { + local title='Security Onion Install' + if grep -q -E "ERROR|Result: False" $setup_log || [[ -s /var/spool/mail/root ]]; then + if [[ -s /var/spool/mail/root ]]; then + echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 + fi + + export SO_ERROR=1 + title="Error found, please check $setup_log" + fi + if [ $automated == no ]; then - whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 + whiptail --title "$title" --gauge 'Please wait while installing...' 6 60 0 # append to text else cat >> $setup_log 2>&1 - fi + fi } if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then @@ -98,13 +111,16 @@ export PATH=$PATH:../salt/common/tools/sbin got_root -detect_os +detect_os && detect_cloud +set_network_dev_status_list if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 fi -setterm -blank 0 +if [ $automated == no ]; then + setterm -blank 0 >> $setup_log 2>&1 +fi if [ "$setup_type" == 'iso' ] || (whiptail_you_sure); then true @@ -117,21 +133,21 @@ whiptail_install_type if [ "$install_type" = 'EVAL' ]; then is_node=true - is_master=true + is_manager=true is_sensor=true is_eval=true elif [ "$install_type" = 'STANDALONE' ]; then - is_master=true - is_distmaster=true + is_manager=true + is_distmanager=true is_node=true is_sensor=true -elif [ "$install_type" = 'MASTERSEARCH' ]; then - is_master=true - is_distmaster=true +elif [ "$install_type" = 'MANAGERSEARCH' ]; then + is_manager=true + is_distmanager=true is_node=true -elif [ "$install_type" = 'MASTER' ]; then - is_master=true - is_distmaster=true +elif [ "$install_type" = 'MANAGER' ]; then + is_manager=true + is_distmanager=true elif [ "$install_type" = 'SENSOR' ]; then is_sensor=true is_minion=true @@ -151,13 +167,13 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true fi -if [[ $is_eval ]]; then - check_requirements "eval" +if [[ $is_manager && $is_sensor ]]; then + check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then check_requirements "dist" "fleet" elif [[ $is_sensor && ! $is_eval ]]; then check_requirements "dist" "sensor" -elif [[ $is_distmaster || $is_minion ]]; then +elif [[ $is_distmanager || $is_minion ]]; then check_requirements "dist" fi @@ -177,7 +193,7 @@ case "$setup_type" in whiptail_management_interface_dns_search fi - collect_adminuser_inputs + #collect_adminuser_inputs ;; 'network') whiptail_network_notice @@ -202,21 +218,21 @@ if [[ $is_helix ]]; then RULESETUP=ETOPEN NSMSETUP=BASIC HNSENSOR=inherit - MASTERUPDATES=0 + MANAGERUPDATES=0 fi -if [[ $is_helix || ( $is_master && $is_node ) ]]; then +if [[ $is_helix || ( $is_manager && $is_node ) ]]; then RULESETUP=ETOPEN NSMSETUP=BASIC fi -if [[ $is_master && $is_node ]]; then +if [[ $is_manager && $is_node ]]; then LSPIPELINEWORKERS=1 LSPIPELINEBATCH=125 LSINPUTTHREADS=1 LSINPUTBATCHCOUNT=125 NIDS=Suricata - BROVERSION=ZEEK + ZEEKVERSION=ZEEK fi if [[ $is_node ]]; then @@ -225,21 +241,21 @@ fi # Start user prompts if [[ $is_helix || $is_sensor ]]; then - whiptail_bond_nics + whiptail_sensor_nics calculate_useable_cores fi -if [[ $is_helix || $is_master ]]; then - whiptail_homenet_master +if [[ $is_helix || $is_manager ]]; then + whiptail_homenet_manager fi -if [[ $is_helix || $is_master || $is_node ]]; then +if [[ $is_helix || $is_manager || $is_node ]]; then set_base_heapsizes fi -if [[ $is_master && ! $is_eval ]]; then - whiptail_master_adv - whiptail_bro_version +if [[ $is_manager && ! $is_eval ]]; then + whiptail_manager_adv + whiptail_zeek_version whiptail_nids whiptail_rule_setup @@ -247,22 +263,25 @@ if [[ $is_master && ! $is_eval ]]; then whiptail_oinkcode fi - if [ "$MASTERADV" = 'ADVANCED' ] && [ "$BROVERSION" != 'SURICATA' ]; then - whiptail_master_adv_service_brologs + if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$ZEEKVERSION" != 'SURICATA' ]; then + whiptail_manager_adv_service_zeeklogs fi fi -if [[ $is_master ]]; then +if [[ $is_manager ]]; then whiptail_components_adv_warning whiptail_enable_components + if [[ $STRELKA == 1 ]]; then + whiptail_strelka_rules + fi collect_webuser_inputs get_redirect fi -if [[ $is_distmaster || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then - whiptail_master_updates - if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then - whiptail_master_updates_warning +if [[ $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then + whiptail_manager_updates + if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then + whiptail_manager_updates_warning fi fi @@ -270,7 +289,7 @@ if [[ $is_minion ]]; then whiptail_management_server fi -if [[ $is_distmaster ]]; then +if [[ $is_distmanager ]]; then collect_soremote_inputs fi @@ -278,11 +297,11 @@ if [[ $is_sensor && ! $is_eval ]]; then whiptail_homenet_sensor whiptail_sensor_config if [ $NSMSETUP == 'ADVANCED' ]; then - whiptail_bro_pins + whiptail_zeek_pins whiptail_suricata_pins whiptail_bond_nics_mtu else - whiptail_basic_bro + whiptail_basic_zeek whiptail_basic_suri fi fi @@ -316,6 +335,8 @@ else FLEETNODEPASSWD1=$WEBPASSWD1 fi +if [[ $is_manager ]]; then whiptail_so_allow; fi + whiptail_make_changes if [[ -n "$TURBO" ]]; then @@ -327,52 +348,57 @@ if [[ "$setup_type" == 'iso' ]]; then set_hostname_iso set_management_interface - add_admin_user - disable_onion_user + #add_admin_user + disable_auto_start fi -set_hostname >> $setup_log 2>&1 -set_version >> $setup_log 2>&1 -clear_master >> $setup_log 2>&1 +{ + set_hostname; + set_version; + clear_manager; +} >> $setup_log 2>&1 -if [[ $is_master ]]; then - generate_passwords >> $setup_log 2>&1 - secrets_pillar >> $setup_log 2>&1 - add_socore_user_master >> $setup_log 2>&1 + +if [[ $is_manager ]]; then + { + generate_passwords; + secrets_pillar; + add_socore_user_manager; + } >> $setup_log 2>&1 fi -if [[ $is_master && ! $is_eval ]]; then - add_soremote_user_master >> $setup_log 2>&1 +if [[ $is_manager && ! $is_eval ]]; then + add_soremote_user_manager >> $setup_log 2>&1 fi -set_main_ip >> $setup_log 2>&1 +{ + set_main_ip; + set_redirect; +} >> $setup_log 2>&1 + +host_pillar >> $setup_log 2>&1 if [[ $is_minion ]]; then set_updates >> $setup_log 2>&1 copy_ssh_key >> $setup_log 2>&1 fi -if [[ "$OSQUERY" = 1 ]]; then - host_pillar >> $setup_log 2>&1 -fi - # Begin install { # Set initial percentage to 0 export percentage=0 - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi + if [[ $is_minion ]]; then + set_progress_str 1 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + fi set_progress_str 2 'Updating packages' update_packages >> $setup_log 2>&1 if [[ $is_sensor || $is_helix ]]; then - set_progress_str 3 'Creating bond interface' - create_sensor_bond >> $setup_log 2>&1 - + set_progress_str 3 'Configuring sensor interface' + configure_network_sensor >> $setup_log 2>&1 set_progress_str 4 'Generating sensor pillar' sensor_pillar >> $setup_log 2>&1 fi @@ -389,23 +415,24 @@ fi set_progress_str 9 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - - if [[ $is_master || $is_helix ]]; then + if [[ $is_manager || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' - create_local_directories >> $setup_log 2>&1 - addtotab_generate_templates >> $setup_log 2>&1 - copy_master_config >> $setup_log 2>&1 - setup_salt_master_dirs >> $setup_log 2>&1 - firewall_generate_templates >> $setup_log 2>&1 + { + create_local_directories; + addtotab_generate_templates; + copy_salt_master_config; + setup_salt_master_dirs; + firewall_generate_templates; + } >> $setup_log 2>&1 set_progress_str 11 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 - set_progress_str 12 'Generating master static pillar' - master_static >> $setup_log 2>&1 + set_progress_str 12 'Generating manager static pillar' + manager_static >> $setup_log 2>&1 - set_progress_str 13 'Generating master pillar' - master_pillar >> $setup_log 2>&1 + set_progress_str 13 'Generating manager pillar' + manager_pillar >> $setup_log 2>&1 fi @@ -421,27 +448,29 @@ fi set_progress_str 18 'Setting node type' set_node_type >> $setup_log 2>&1 - set_progress_str 19 'Generating search node pillar' - node_pillar >> $setup_log 2>&1 + if ! [[ $is_manager || $is_helix ]]; then + set_progress_str 19 'Generating search node pillar' + elasticsearch_pillar >> $setup_log 2>&1 + fi fi if [[ $is_minion ]]; then - set_progress_str 20 'Accepting Salt key on master' + set_progress_str 20 'Accepting Salt key on manager' accept_salt_key_remote >> $setup_log 2>&1 fi - if [[ $is_master ]]; then + if [[ $is_manager ]]; then set_progress_str 20 'Accepting Salt key' salt-key -ya "$MINION_ID" >> $setup_log 2>&1 fi - set_progress_str 21 'Copying minion pillars to master' + set_progress_str 21 'Copying minion pillars to manager' copy_minion_tmp_files >> $setup_log 2>&1 set_progress_str 22 'Generating CA and checking in' salt_checkin >> $setup_log 2>&1 - if [[ $is_master || $is_helix ]]; then + if [[ $is_manager || $is_helix ]]; then set_progress_str 25 'Configuring firewall' set_initial_firewall_policy >> $setup_log 2>&1 @@ -454,14 +483,14 @@ fi salt-call state.apply -l info registry >> $setup_log 2>&1 docker_seed_registry 2>> "$setup_log" # ~ 60% when finished - set_progress_str 60 "$(print_salt_state_apply 'master')" - salt-call state.apply -l info master >> $setup_log 2>&1 + set_progress_str 60 "$(print_salt_state_apply 'manager')" + salt-call state.apply -l info manager >> $setup_log 2>&1 set_progress_str 61 "$(print_salt_state_apply 'idstools')" salt-call state.apply -l info idstools >> $setup_log 2>&1 - set_progress_str 61 "$(print_salt_state_apply 'suricata.master')" - salt-call state.apply -l info suricata.master >> $setup_log 2>&1 + set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')" + salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 fi @@ -479,7 +508,7 @@ fi set_progress_str 64 "$(print_salt_state_apply 'nginx')" salt-call state.apply -l info nginx >> $setup_log 2>&1 - if [[ $is_master || $is_node ]]; then + if [[ $is_manager || $is_node ]]; then set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 fi @@ -500,7 +529,7 @@ fi salt-call state.apply -l info curator >> $setup_log 2>&1 fi - if [[ $is_master ]]; then + if [[ $is_manager ]]; then set_progress_str 69 "$(print_salt_state_apply 'soc')" salt-call state.apply -l info soc >> $setup_log 2>&1 @@ -513,59 +542,63 @@ fi set_progress_str 72 "$(print_salt_state_apply 'soctopus')" salt-call state.apply -l info soctopus >> $setup_log 2>&1 fi + + if [[ "$PLAYBOOK" = 1 ]]; then + set_progress_str 73 "$(print_salt_state_apply 'playbook.db_init')" + salt-call state.apply -l info playbook.db_init >> $setup_log 2>&1 + + set_progress_str 73 "$(print_salt_state_apply 'playbook')" + salt-call state.apply -l info playbook >> $setup_log 2>&1 + so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & + fi if [[ "$OSQUERY" = 1 ]]; then - set_progress_str 73 "$(print_salt_state_apply 'mysql')" + if [[ "$PLAYBOOK" != 1 ]]; then + set_progress_str 74 "$(print_salt_state_apply 'mysql')" salt-call state.apply -l info mysql >> $setup_log 2>&1 + fi - set_progress_str 73 "$(print_salt_state_apply 'fleet')" + set_progress_str 75 "$(print_salt_state_apply 'fleet')" salt-call state.apply -l info fleet >> $setup_log 2>&1 - set_progress_str 73 "$(print_salt_state_apply 'redis')" + set_progress_str 76 "$(print_salt_state_apply 'redis')" salt-call state.apply -l info redis >> $setup_log 2>&1 if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then - set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" + set_progress_str 77 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" pillar_override="{\"static\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}" salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 fi set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1 + so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 fi if [[ "$WAZUH" = 1 ]]; then - set_progress_str 75 "$(print_salt_state_apply 'wazuh')" + set_progress_str 78 "$(print_salt_state_apply 'wazuh')" salt-call state.apply -l info wazuh >> $setup_log 2>&1 fi if [[ "$THEHIVE" = 1 ]]; then - set_progress_str 76 "$(print_salt_state_apply 'thehive')" + set_progress_str 79 "$(print_salt_state_apply 'thehive')" salt-call state.apply -l info thehive >> $setup_log 2>&1 fi if [[ "$STRELKA" = 1 ]]; then - set_progress_str 77 "$(print_salt_state_apply 'strelka')" + set_progress_str 80 "$(print_salt_state_apply 'strelka')" salt-call state.apply -l info strelka >> $setup_log 2>&1 + if [[ $STRELKARULES == 1 ]]; then + /usr/sbin/so-yara-update >> $setup_log 2>&1 + fi fi - if [[ "$PLAYBOOK" = 1 ]]; then - set_progress_str 78 "$(print_salt_state_apply 'playbook')" - salt-call state.apply -l info playbook >> $setup_log 2>&1 - fi - - if [[ "$NAVIGATOR" = 1 ]]; then - set_progress_str 78 "$(print_salt_state_apply 'navigator')" - salt-call state.apply -l info navigator >> $setup_log 2>&1 - fi - - if [[ $is_master || $is_helix ]]; then + if [[ $is_manager || $is_helix ]]; then set_progress_str 81 "$(print_salt_state_apply 'utility')" salt-call state.apply -l info utility >> $setup_log 2>&1 fi - if [[ ( $is_helix || $is_master || $is_node ) && ! $is_eval ]]; then + if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then set_progress_str 82 "$(print_salt_state_apply 'logstash')" salt-call state.apply -l info logstash >> $setup_log 2>&1 @@ -577,7 +610,7 @@ fi filter_unused_nics >> $setup_log 2>&1 network_setup >> $setup_log 2>&1 - if [[ $is_master ]]; then + if [[ $is_manager ]]; then set_progress_str 87 'Adding user to SOC' add_web_user >> $setup_log 2>&1 fi @@ -586,24 +619,34 @@ fi checkin_at_boot >> $setup_log 2>&1 set_progress_str 95 'Verifying setup' - salt-call -l info state.highstate >> $setup_log 2>&1 + salt-call -l info state.highstate >> $setup_log 2>&1 } | progress success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') -if [[ "$success" = 0 ]]; then - whiptail_setup_complete - if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - export IP=$ALLOW_CIDR - so-allow -$ALLOW_ROLE >> $setup_log 2>&1 - fi - if [[ $THEHIVE == 1 ]]; then - check_hive_init - fi -else +if [[ $success != 0 ]]; then SO_ERROR=1; fi + + +if [[ -n $SO_ERROR ]]; then + echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 + SKIP_REBOOT=1 whiptail_setup_failed +else + { + export percentage=95 # set to last percentage used in previous subshell + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + set_progress_str 98 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" + IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 + fi + + set_progress_str 99 'Waiting for TheHive to start up' + if [[ $THEHIVE == 1 ]]; then check_hive_init >> $setup_log 2>&1; fi + + } | whiptail_gauge_post_setup "Running post-installation steps..." + + whiptail_setup_complete fi -if [[ -z $SKIP_REBOOT ]]; then - shutdown -r now -fi +install_cleanup >> $setup_log 2>&1 + +if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi diff --git a/setup/so-variables b/setup/so-variables index e14a955ab..07f7aa71b 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -28,6 +28,9 @@ mkdir -p /nsm filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') export filesystem_nsm +free_space_root=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') +export free_space_root + mkdir -p /root/installtmp/pillar/minions export temp_install_dir=/root/installtmp @@ -36,6 +39,8 @@ export percentage_str='Getting started' export DEBIAN_FRONTEND=noninteractive export default_salt_dir=/opt/so/saltstack/default + export local_salt_dir=/opt/so/saltstack/local -export SCRIPTDIR=$(cd `dirname $0` && pwd) +SCRIPTDIR=$(cd "$(dirname "$0")" && pwd) +export SCRIPTDIR diff --git a/setup/so-whiptail b/setup/so-whiptail index 86c723b83..f0f1fb7b5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -19,11 +19,11 @@ source ./so-variables source ./so-common-functions -whiptail_basic_bro() { +whiptail_basic_zeek() { [ -n "$TESTING" ] && return - BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \ + BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the number of zeek processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -42,7 +42,7 @@ whiptail_basic_suri() { } -whiptail_bro_pins() { +whiptail_zeek_pins() { [ -n "$TESTING" ] && return @@ -51,20 +51,20 @@ whiptail_bro_pins() { cpu_core_list_whiptail+=("$item" "OFF") done - BROPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) + ZEEKPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus - BROPINS=$(echo "$BROPINS" | tr -d '"') + ZEEKPINS=$(echo "$ZEEKPINS" | tr -d '"') - IFS=' ' read -ra BROPINS <<< "$BROPINS" + IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS" } -whiptail_bro_version() { +whiptail_zeek_version() { [ -n "$TESTING" ] && return - BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 75 4 "ZEEK" "Install Zeek (aka Bro)" ON \ + ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 75 4 "ZEEK" "Install Zeek (aka Bro)" ON \ "SURICATA" "Use Suricata 5" OFF 3>&1 1>&2 2>&3) local exitstatus=$? @@ -72,19 +72,27 @@ whiptail_bro_version() { } -whiptail_bond_nics() { +whiptail_sensor_nics() { [ -n "$TESTING" ] && return filter_unused_nics - BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) + if [[ $is_ec2 ]]; then + local menu_text="Please select NIC for the Monitor Interface" + local list_type="radiolist" + else + local menu_text="Please add NICs to the Monitor Interface" + local list_type="checklist" + fi + + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus while [ -z "$BNICS" ] do - BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus done @@ -92,6 +100,16 @@ whiptail_bond_nics() { BNICS=$(echo "$BNICS" | tr -d '"') IFS=' ' read -ra BNICS <<< "$BNICS" + + for bond_nic in "${BNICS[@]}"; do + if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then + whiptail \ + --title "Security Onion Setup" \ + --msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \ + 8 75 + exit + fi + done } whiptail_bond_nics_mtu() { @@ -234,7 +252,8 @@ whiptail_create_web_user() { [ -n "$TESTING" ] && return WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \ - "Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3) + "Please enter an email address to create an administrator account for the web interface. \ + This will also be used for TheHive, Cortex, and Fleet" 10 60 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -281,8 +300,6 @@ whiptail_fleet_custom_hostname() { whiptail_check_exitstatus $exitstatus } - - whiptail_requirements_error() { local requirement_needed=$1 @@ -292,7 +309,7 @@ whiptail_requirements_error() { [ -n "$TESTING" ] && return whiptail --title "Security Onion Setup" \ - --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 8 75 + --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 10 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -343,7 +360,6 @@ whiptail_enable_components() { WAZUH "Enable Wazuh" ON \ THEHIVE "Enable TheHive" ON \ PLAYBOOK "Enable Playbook" ON \ - NAVIGATOR "Enable ATT&CK Navigator" ON \ STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -390,24 +406,24 @@ whiptail_helix_apikey() { } -whiptail_homenet_master() { +whiptail_homenet_manager() { [ -n "$TESTING" ] && return - HNMASTER=$(whiptail --title "Security Onion Setup" --inputbox \ + HNMANAGER=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your HOME_NET separated by ," 10 75 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus - export HNMASTER + export HNMANAGER } whiptail_homenet_sensor() { [ -n "$TESTING" ] && return - # Ask to inherit from master - whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Master?" 8 75 + # Ask to inherit from manager + whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Manager?" 8 75 local exitstatus=$? @@ -420,9 +436,7 @@ whiptail_homenet_sensor() { whiptail_check_exitstatus $exitstatus export HNSENSOR - fi - } whiptail_install_type() { @@ -431,27 +445,37 @@ whiptail_install_type() { # What kind of install are we doing? install_type=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose Install Type:" 20 75 13 \ - "SENSOR" "Create a forward only sensor" ON \ - "SEARCHNODE" "Add a Search Node with parsing" OFF \ - "MASTER" "Start a new grid" OFF \ - "EVAL" "Evaluate all the things" OFF \ - "STANDALONE" "Standalone full install of everything" OFF \ - "MASTERSEARCH" "Master + Search Node" OFF \ - "HEAVYNODE" "Sensor + Search Node" OFF \ - "HELIXSENSOR" "Connect this sensor to FireEye Helix" OFF \ - "FLEET" "Dedicated Fleet Osquery Node" OFF \ - "HOTNODE" "TODO Add Hot Node (Uses Elastic Clustering)" OFF \ - "WARMNODE" "TODO Add Warm Node to existing Hot or Search node" OFF \ - "WAZUH" "TODO Stand Alone Wazuh Server" OFF \ - "STRELKA" "TODO Stand Alone Strelka Node" OFF 3>&1 1>&2 2>&3 ) + "Choose install type:" 10 65 3 \ + "EVAL" "Evaluation mode (not for production) " ON \ + "STANDALONE" "Standalone production install " OFF \ + "DISTRIBUTED" "Distributed install submenu " OFF \ + 3>&1 1>&2 2>&3 + ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + if [[ $install_type == "DISTRIBUTED" ]]; then + install_type=$(whiptail --title "Security Onion Setup" --radiolist \ + "Choose distributed node type:" 13 60 6 \ + "MANAGER" "Start a new grid " ON \ + "SENSOR" "Create a forward only sensor " OFF \ + "SEARCHNODE" "Add a search node with parsing " OFF \ + "MANAGERSEARCH" "Manager + search node " OFF \ + "FLEET" "Dedicated Fleet Osquery Node " OFF \ + "HEAVYNODE" "Sensor + Search Node " OFF \ + 3>&1 1>&2 2>&3 + # "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO + # "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO + # "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO + # "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO + ) + fi local exitstatus=$? whiptail_check_exitstatus $exitstatus export install_type - - } whiptail_log_size_limit() { @@ -537,9 +561,10 @@ whiptail_nids() { [ -n "$TESTING" ] && return NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose which IDS to run:" 20 75 4 \ + "Choose which IDS to run. \n + Snort 3.0 support will be added once it is out of beta:" 25 75 4 \ "Suricata" "Suricata 4.X" ON \ - "Snort" "Snort 3.0 Beta" OFF 3>&1 1>&2 2>&3 ) + "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -551,7 +576,7 @@ whiptail_oinkcode() { [ -n "$TESTING" ] && return OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter your oinkcode" 10 75 XXXXXXX 3>&1 1>&2 2>&3) + "Enter your ET Pro or oinkcode" 10 75 XXXXXXX 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -574,26 +599,42 @@ whiptail_management_server() { [ -n "$TESTING" ] && return MSRV=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter your Master Server hostname. It is CASE SENSITIVE!" 10 75 XXXX 3>&1 1>&2 2>&3) + "Enter your Manager Server hostname. It is CASE SENSITIVE!" 10 75 XXXX 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus + while [[ $MSRV == *'localhost'* || ! ( $MSRV =~ ^[a-zA-Z0-9\-]*$ ) ]] ; do + local error_message + error_message=$(echo "Please choose a valid hostname. It cannot contain localhost; and must contain only \ + the ASCII letters 'A-Z' and 'a-z' (case-sensitive), the digits '0' through '9', \ + and hyphen ('-')" | tr -d '\t') + + whiptail --title "Security Onion Setup" \ + --msgbox "$error_message" 10 75 + + MSRV=$(whiptail --title "Security Onion Setup" --inputbox \ + "Enter your Manager Server hostname. It is CASE SENSITIVE!" 10 75 XXXX 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + done + if ! getent hosts "$MSRV"; then - add_master_hostfile + add_manager_hostfile fi } -# Ask if you want to do advanced setup of the Master -whiptail_master_adv() { +# Ask if you want to do advanced setup of the Manager +whiptail_manager_adv() { [ -n "$TESTING" ] && return - MASTERADV=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose what type of master install:" 20 75 4 \ - "BASIC" "Install master with recommended settings" ON \ - "ADVANCED" "Do additional configuration to the master" OFF 3>&1 1>&2 2>&3 ) + MANAGERADV=$(whiptail --title "Security Onion Setup" --radiolist \ + "Choose which type of manager to install:" 20 75 4 \ + "BASIC" "Install manager with recommended settings" ON \ + "ADVANCED" "Do additional configuration to the manager" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -601,7 +642,7 @@ whiptail_master_adv() { } # Ask which additional components to install -whiptail_master_adv_service_brologs() { +whiptail_manager_adv_service_zeeklogs() { [ -n "$TESTING" ] && return @@ -766,7 +807,7 @@ whiptail_patch_name_new_schedule() { [ -n "$TESTING" ] && return PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) + "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -774,7 +815,7 @@ whiptail_patch_name_new_schedule() { while [[ -z "$PATCHSCHEDULENAME" ]]; do whiptail --title "Security Onion Setup" --msgbox "Please enter a name for this OS patch schedule." 8 75 PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) + "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus done @@ -825,7 +866,7 @@ whiptail_patch_schedule_import() { unset PATCHSCHEDULENAME PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) + "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -833,7 +874,7 @@ whiptail_patch_schedule_import() { while [[ -z "$PATCHSCHEDULENAME" ]]; do whiptail --title "Security Onion Setup" --msgbox "Please enter a name for the OS patch schedule you want to inherit." 8 75 PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the master under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) + "Enter the name of the OS patch schedule you want to inherit. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -866,50 +907,43 @@ whiptail_patch_schedule_select_days() { } whiptail_patch_schedule_select_hours() { - + [ -n "$TESTING" ] && return - # Select the hours to patch - PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup" --checklist \ - "At which time, UTC, do you want to apply OS patches on the selected days? Hours 12 through 23 can be selected on the next screen." 22 75 13 \ - 00:00 "" OFF \ - 01:00 "" OFF \ - 02:00 "" OFF \ - 03:00 "" OFF \ - 04:00 "" OFF \ - 05:00 "" OFF \ - 06:00 "" OFF \ - 07:00 "" OFF \ - 08:00 "" OFF \ - 09:00 "" OFF \ - 10:00 "" OFF \ - 11:00 "" OFF 3>&1 1>&2 2>&3 ) + # Select the hours to patch + PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup" --checklist \ + "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ + 00:00 "" OFF \ + 01:00 "" OFF \ + 02:00 "" ON \ + 03:00 "" OFF \ + 04:00 "" OFF \ + 05:00 "" OFF \ + 06:00 "" OFF \ + 07:00 "" OFF \ + 08:00 "" OFF \ + 09:00 "" OFF \ + 10:00 "" OFF \ + 11:00 "" OFF \ + 12:00 "" OFF \ + 13:00 "" OFF \ + 14:00 "" OFF \ + 15:00 "" OFF \ + 16:00 "" OFF \ + 17:00 "" OFF \ + 18:00 "" OFF \ + 19:00 "" OFF \ + 20:00 "" OFF \ + 21:00 "" OFF \ + 22:00 "" OFF \ + 23:00 "" OFF 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus + local exitstatus=$? + whiptail_check_exitstatus $exitstatus - # Select the hours to patch - PATCHSCHEDULEHOURS+=$(whiptail --title "Security Onion Setup" --checklist \ - "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ - 12:00 "" OFF \ - 13:00 "" OFF \ - 14:00 "" OFF \ - 15:00 "" ON \ - 16:00 "" OFF \ - 17:00 "" OFF \ - 18:00 "" OFF \ - 19:00 "" OFF \ - 20:00 "" OFF \ - 21:00 "" OFF \ - 22:00 "" OFF \ - 23:00 "" OFF 3>&1 1>&2 2>&3) + PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') - - IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" + IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" } @@ -919,11 +953,10 @@ whiptail_rule_setup() { # Get pulled pork info RULESETUP=$(whiptail --title "Security Onion Setup" --radiolist \ - "Which IDS ruleset would you like to use?\n\nThis master server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the master server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \ + "Which IDS ruleset would you like to use?\n\nThis manager server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the manager server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \ "ETOPEN" "Emerging Threats Open" ON \ "ETPRO" "Emerging Threats PRO" OFF \ - "TALOSET" "Snort Subscriber (Talos) and ET NoGPL rulesets" OFF \ - "TALOS" "Snort Subscriber (Talos) ruleset and set a policy" OFF \ + "TALOS" "Snort Subscriber ruleset - Experimental" OFF \ 3>&1 1>&2 2>&3) local exitstatus=$? @@ -964,10 +997,13 @@ whiptail_set_hostname() { error_message=$(echo "Please choose a valid hostname. It cannot contain localhost; and must contain only \ the ASCII letters 'a' through 'z' (case-insensitive), the digits '0' through '9', \ and hyphen ('-')" | tr -d '\t') + whiptail --title "Security Onion Setup" \ --msgbox "$error_message" 10 75 + HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the hostname (not FQDN) you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) + local exitstatus=$? whiptail_check_exitstatus $exitstatus done @@ -979,7 +1015,7 @@ whiptail_set_redirect() { [ -n "$TESTING" ] && return REDIRECTINFO=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose the access method for the web interface:" 20 75 4 \ + "Choose the access method for the web interface: \nNOTE: For security reasons, we use strict cookie enforcement" 20 75 4 \ "IP" "Use IP to access the web interface" ON \ "HOSTNAME" "Use hostname to access the web interface" OFF \ "OTHER" "Use a different name like a FQDN or Load Balancer" OFF 3>&1 1>&2 2>&3 ) @@ -997,30 +1033,32 @@ whiptail_set_redirect_host() { whiptail_check_exitstatus $exitstatus } -whiptail_set_redirect_info() { - - [ -n "$TESTING" ] && return - - whiptail --title "Security Onion Setup" --msgbox "The following selection refers to accessing the web interface. \n -For security reasons, we use strict cookie enforcement." 10 75 -} - whiptail_setup_complete() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Finished $install_type install. Press Ok to reboot." 8 75 - install_cleanup >> $setup_log 2>&1 + if [[ -n $ALLOW_CIDR ]]; then + local sentence_prefix="Access" + else + local sentence_prefix="Run so-allow after reboot to access" + fi + read -r -d '' message <<- EOM + Finished ${install_type} installation. + + ${sentence_prefix} the web interface at: https://${REDIRECTIT} + + Press ENTER to reboot. + EOM + + whiptail --title "Security Onion Setup" --msgbox "$message" 12 75 } whiptail_setup_failed() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $setup_log for details. Press Ok to reboot." 8 75 - install_cleanup >> $setup_log 2>&1 - + whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $setup_log for details. Press Ok to exit." 8 75 } whiptail_shard_count() { @@ -1035,12 +1073,55 @@ whiptail_shard_count() { } +whiptail_so_allow() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" \ + --yesno "Do you want to run so-allow to allow access to the web tools?" \ + 8 75 + + local exitstatus=$? + + if [[ $exitstatus == 0 ]]; then + ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \ + --inputbox "Enter a single IP address, or an IP range, in CIDR notation, to allow:" \ + 10 75 3>&1 1>&2 2>&3) + local exitstatus=$? + + export ALLOW_ROLE='a' + export ALLOW_CIDR + fi + + whiptail_check_exitstatus $exitstatus +} + +whiptail_gauge_post_setup() { + + [ -n "$TESTING" ] && return + + local msg=$1 + + whiptail --title "Security Onion Setup" --gauge "$msg" 6 60 96 +} + +whiptail_strelka_rules() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75 + + local exitstatus=$? + + if [[ $exitstatus == 0 ]]; then export STRELKARULES=1; fi +} + whiptail_suricata_pins() { [ -n "$TESTING" ] && return local filtered_core_list - readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${BROPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')" + readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${ZEEKPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')" local filtered_core_str=() for item in "${filtered_core_list[@]}"; do @@ -1057,34 +1138,34 @@ whiptail_suricata_pins() { } -whiptail_master_updates() { +whiptail_manager_updates() { [ -n "$TESTING" ] && return local update_string update_string=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?:" 20 75 4 \ - "MASTER" "Master node is proxy for updates." ON \ + "MANAGER" "Manager node is proxy for updates" ON \ "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus case "$update_string" in - 'MASTER') - MASTERUPDATES='1' + 'MANAGER') + export MANAGERUPDATES='1' ;; *) - MASTERUPDATES='0' + export MANAGERUPDATES='0' ;; esac } -whiptail_master_updates_warning() { +whiptail_manager_updates_warning() { [ -n "$TESTING" ] && return whiptail --title "Security Onion Setup"\ - --msgbox "Updating through the master node requires the master to have internet access, press ENTER to continue"\ + --msgbox "Updating through the manager node requires the manager to have internet access, press ENTER to continue."\ 8 75 local exitstatus=$? @@ -1097,7 +1178,7 @@ whiptail_node_updates() { NODEUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?:" 20 75 4 \ - "MASTER" "Master node is proxy for updates." ON \ + "MANAGER" "Manager node is proxy for updates." ON \ "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? @@ -1109,7 +1190,20 @@ whiptail_you_sure() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Are you sure you want to continue a network install of Security Onion?" 8 75 + read -r -d '' you_sure_text <<- EOM + Welcome to Security Onion Setup! + + You can use Setup for lots of different use cases from a small standalone installation to a large distributed deployment for your enterprise. + + Setup uses keyboard navigation and you can use arrow keys to move around. Certain screens may provide a list and ask you to select one or more items from that list. You can use [SPACE] to select items and [ENTER] to proceed to the next screen. + + Would you like to continue? + EOM + + whiptail \ + --title "Security Onion Setup" \ + --yesno "$you_sure_text" \ + 20 75 local exitstatus=$? return $exitstatus diff --git a/so-setup-network b/so-setup-network index 2528ff14b..801782ad4 100755 --- a/so-setup-network +++ b/so-setup-network @@ -15,6 +15,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -cd setup || exit +cd "$(dirname "$0")/setup" || exit 255 ./so-setup network "$@" diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions deleted file mode 100644 index dd4235902..000000000 --- a/upgrade/so-update-functions +++ /dev/null @@ -1,205 +0,0 @@ -#!/bin/bash - -# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# Set the new SO Version - -UPDATEVERSION=1.2.2 -BUILD=HH - -#Determine the current install version - -if [ -f /etc/soversion ]; then - OLDVERSION=$(cat /etc/soversion) -else - OLDVERSION=1.1.4 -fi - -# Use the hostname -HOSTNAME=$(hostname) - -# List all the containers -if [ $MASTERCHECK != 'so-helix' ]; then - TRUSTED_CONTAINERS=( \ - "so-acng:$BUILD$UPDATEVERSION" \ - "so-thehive-cortex:$BUILD$UPDATEVERSION" \ - "so-curator:$BUILD$UPDATEVERSION" \ - "so-domainstats:$BUILD$UPDATEVERSION" \ - "so-elastalert:$BUILD$UPDATEVERSION" \ - "so-elasticsearch:$BUILD$UPDATEVERSION" \ - "so-filebeat:$BUILD$UPDATEVERSION" \ - "so-fleet:$BUILD$UPDATEVERSION" \ - "so-fleet-launcher:$BUILD$UPDATEVERSION" \ - "so-freqserver:$BUILD$UPDATEVERSION" \ - "so-grafana:$BUILD$UPDATEVERSION" \ - "so-idstools:$BUILD$UPDATEVERSION" \ - "so-influxdb:$BUILD$UPDATEVERSION" \ - "so-kibana:$BUILD$UPDATEVERSION" \ - "so-kratos:$BUILD$UPDATEVERSION" \ - "so-logstash:$BUILD$UPDATEVERSION" \ - "so-mysql:$BUILD$UPDATEVERSION" \ - "so-navigator:$BUILD$UPDATEVERSION" \ - "so-nginx:$BUILD$UPDATEVERSION" \ - "so-playbook:$BUILD$UPDATEVERSION" \ - "so-redis:$BUILD$UPDATEVERSION" \ - "so-soc:$BUILD$UPDATEVERSION" \ - "so-soctopus:$BUILD$UPDATEVERSION" \ - "so-steno:$BUILD$UPDATEVERSION" \ - "so-strelka:$BUILD$UPDATEVERSION" \ - "so-suricata:$BUILD$UPDATEVERSION" \ - "so-telegraf:$BUILD$UPDATEVERSION" \ - "so-thehive:$BUILD$UPDATEVERSION" \ - "so-thehive-es:$BUILD$UPDATEVERSION" \ - "so-wazuh:$BUILD$UPDATEVERSION" \ - "so-zeek:$BUILD$UPDATEVERSION" ) - else - TRUSTED_CONTAINERS=( \ - "so-filebeat:$BUILD$UPDATEVERSION" \ - "so-idstools:$BUILD$UPDATEVERSION" \ - "so-logstash:$BUILD$UPDATEVERSION" \ - "so-nginx:$BUILD$UPDATEVERSION" \ - "so-redis:$BUILD$UPDATEVERSION" \ - "so-steno:$BUILD$UPDATEVERSION" \ - "so-suricata:$BUILD$UPDATEVERSION" \ - "so-telegraf:$BUILD$UPDATEVERSION" \ - "so-zeek:$BUILD$UPDATEVERSION" ) - fi - - -clone_to_tmp() { - - # TODO Need to add a air gap option - # Make a temp location for the files - mkdir /tmp/sogh - cd /tmp/sogh - #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git - git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git - cd /tmp - -} - -copy_new_files() { - - # Copy new files over to the salt dir - cd /tmp/sogh/securityonion-saltstack - rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/ - chown -R socore:socore $default_salt_dir/salt - chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh - cd /tmp -} - -detect_os() { - - # Detect Base OS - echo "Detecting Base OS" >> $UPDATELOG 2>&1 - if [ -f /etc/redhat-release ]; then - OS=centos - if grep -q "CentOS Linux release 7" /etc/redhat-release; then - OSVER=7 - elif grep -q "CentOS Linux release 8" /etc/redhat-release; then - OSVER=8 - echo "We currently do not support CentOS $OSVER but we are working on it!" - exit - else - echo "We do not support the version of CentOS you are trying to use" - exit - fi - - elif [ -f /etc/os-release ]; then - OS=ubuntu - if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then - OSVER=bionic - elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then - OSVER=xenial - else - echo "We do not support your current version of Ubuntu" - exit - fi - else - echo "We were unable to determine if you are using a supported OS." >> $UPDATELOG 2>&1 - exit - fi - - echo "Found OS: $OS $OSVER" >> $UPDATELOG 2>&1 - -} - -master_check() { - # Check to see if this is a master - MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MASTERCHECK == 'so-eval' OR $MASTERCHECK == 'so-master' OR $MASTERCHECK == 'so-mastersearch' ]; then - echo "This is a master. We can proceed" - else - echo "Please run soup on the master. The master controls all updates." - exit -} - -salt_highstate() { - - salt-call state.highstate - -} - -update_held_packages() { - - if [ $OS == "centos" ] - SALTVER=2019.2.4 - DOCKERVER= - yum -y --disableexcludes=all update salt-$SALTVER - yum -y --disableexcludes=all update docker-ce-$DOCKERVER - else - SALTVER=2019.2.4+ds-1 - DOCKERVER=5:19.03.8~3-0~ubuntu-xenial - fi - -} - -update_all_packages() { - - # Update all the things based on OS - if [ $OS == "centos" ]; then - yum -y update - else - apt -y update && apt -y upgrade - fi - -} - -update_docker_containers() { - - # Download the containers from the interwebs - for i in "${TRUSTED_CONTAINERS[@]}" - do - # Pull down the trusted docker image - echo "Downloading $i" - docker pull --disable-content-trust=false docker.io/soshybridhunter/$i - # Tag it with the new registry destination - docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i - docker push $HOSTNAME:5000/soshybridhunter/$i - done - - for i in "${TRUSTED_CONTAINERS[@]}" - do - echo "Removing $i locally" - docker rmi soshybridhunter/$i - done - -} - -update_hh_version() { - # Change the version number in the static pillar - -} diff --git a/upgrade/soup b/upgrade/soup deleted file mode 100644 index 19fa0203f..000000000 --- a/upgrade/soup +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -SCRIPTDIR=$(dirname "$0") -source $SCRIPTDIR/so-update-functions - -# Update Packages -master_check -update_all_packages -update_held_packages - - -